File name:	MaryWatters.wsf
Full analysis:	https://app.any.run/tasks/35fd18dd-4478-43d6-a6aa-c88dfeb1d6fe
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 13:02:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	text/html
File info:	HTML document, ASCII text, with CRLF line terminators
MD5:	3CD511CE2A070946739C55B8A3DAEC98
SHA1:	41B5B46C8035CFD26EDAFFD16A32DEAF93E316DD
SHA256:	4ADDDED66ED92FA76BAE32CFC577FC892B4B34E115C8B116D60C9340B382DD92
SSDEEP:	1536:iIzbJeeGUJIgg2/A+ZfukgKo9kNxyJ3OOjll68fef0qu7iE5ToGauKTYL7TBHQ/m:iIzbJXGUJtL/A+ZfUl6yqfs80


(PID) Process:	(2852) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31180185
(PID) Process:	(2852) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In SystemInfo
Value: 1
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In DirectDraw
Value:
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In DirectSound
Value: 1
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In DirectSound
Value:
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In VideoCapture
Value: 1
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In SystemInfo
Value:
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In DirectDraw
Value: 1
(PID) Process:	(3032) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In VideoCapture
Value:

PID	Process	Filename		Type
7752	reg.exe	C:\Users\admin\AppData\Local\Temp\REGC3EE.tmp		text
		MD5:9B854EFE8795D80357D5515CC1D4186F	SHA256:AA7CFB6E102C4D6E38EB3DCA4F3DF416B9657C808B8DDFC4D284627BE9C14803
7752	reg.exe	C:\Users\admin\AppData\Local\Temp\Reg\Notif.reg.txt		text
		MD5:9B854EFE8795D80357D5515CC1D4186F	SHA256:AA7CFB6E102C4D6E38EB3DCA4F3DF416B9657C808B8DDFC4D284627BE9C14803
7972	reg.exe	C:\Users\admin\AppData\Local\Temp\Reg\AllCredFilter.reg.txt		text
		MD5:9A5A295EFDC30925C631166A5D041BD3	SHA256:88275B3C833910726328D29FB29F50FF6E5D357E8D3F316362C6D709D5FA5EF5
7860	reg.exe	C:\Users\admin\AppData\Local\Temp\REGC526.tmp		text
		MD5:C64DC9068CE4ECC37DBD1F7EC4C18466	SHA256:FFA3724BE323FBDA2358F7902FEB0DF35D7A9F8C4B817D4430776D666996938C
7860	reg.exe	C:\Users\admin\AppData\Local\Temp\Reg\AllCred.reg.txt		text
		MD5:C64DC9068CE4ECC37DBD1F7EC4C18466	SHA256:FFA3724BE323FBDA2358F7902FEB0DF35D7A9F8C4B817D4430776D666996938C
5392	reg.exe	C:\Users\admin\AppData\Local\Temp\Reg\HKLMWlanSvc.reg.txt		text
		MD5:87F2A9E5A4192112D2E96CAE2B4254AA	SHA256:9D3B9148E6377CB110B6BD989846BC6574C90BF65E0095A998731490235B13B7
7972	reg.exe	C:\Users\admin\AppData\Local\Temp\REGC94D.tmp		text
		MD5:9A5A295EFDC30925C631166A5D041BD3	SHA256:88275B3C833910726328D29FB29F50FF6E5D357E8D3F316362C6D709D5FA5EF5
2852	TiWorker.exe	C:\Windows\Logs\CBS\CBS.log		text
		MD5:D9EE67AB81B7A1A19F527F69FB8B1E1D	SHA256:141DB977921BE02AC7C9244402F8F3D7EFA4FA60C2BF7E570026DADCF0E99C16
5392	reg.exe	C:\Users\admin\AppData\Local\Temp\REGCD64.tmp		text
		MD5:87F2A9E5A4192112D2E96CAE2B4254AA	SHA256:9D3B9148E6377CB110B6BD989846BC6574C90BF65E0095A998731490235B13B7
2040	cmd.exe	C:\Users\admin\AppData\Local\Temp\envinfo.txt		text
		MD5:5AC753CCED8259823D9C2215B210156D	SHA256:698234E927A731661284FE17D8C8EC5C0ED19D47A9D2C9F124E9C5B2DC6DE8ED

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6148	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6148	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1328	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6148	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
6544	svchost.exe	20.190.160.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248 172.211.123.249	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	23.215.0.132 23.215.0.133 96.7.128.186 96.7.128.192	whitelisted
ipv4only.arpa	192.0.0.171 192.0.0.170	whitelisted
login.live.com	20.190.160.3 40.126.32.133 40.126.32.138 20.190.160.130 20.190.160.4 20.190.160.14 20.190.160.65 40.126.32.76 20.190.159.73 20.190.159.68 40.126.31.3 40.126.31.2 20.190.159.71 20.190.159.75 20.190.159.0 40.126.31.129	whitelisted
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 4.231.128.59	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
crl.microsoft.com	23.48.23.169 23.48.23.167 23.48.23.166 23.48.23.155 23.48.23.159 23.48.23.162 23.48.23.150 23.48.23.173 23.48.23.168 23.48.23.180 23.48.23.194 23.48.23.161 23.48.23.181 23.48.23.176 23.48.23.193	whitelisted

General Info

MaryWatters.wsf

3CD511CE2A070946739C55B8A3DAEC98

41B5B46C8035CFD26EDAFFD16A32DEAF93E316DD

4ADDDED66ED92FA76BAE32CFC577FC892B4B34E115C8B116D60C9340B382DD92

1536:iIzbJeeGUJIgg2/A+ZfukgKo9kNxyJ3OOjll68fef0qu7iE5ToGauKTYL7TBHQ/m:iIzbJXGUJtL/A+ZfUl6yqfs80

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates a new folder (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Group Policy Discovery via Microsoft GPResult Utility

Creates FileSystem object to access computer's file system (SCRIPT)

Uses SYSTEMINFO.EXE to read the environment

Get information on the list of running processes

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Uses powercfg.exe to modify the power settings

Uses WEVTUTIL.EXE to archive the exported log

Uses WEVTUTIL.EXE to export log

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Uses NETSH.EXE to obtain data on the network

Suspicious use of NETSH.EXE

Connects to the server without a host name

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Windows service management via SC.EXE

Starts SC.EXE for service management

Executes application which crashes

INFO

Create files in a temporary directory

Reads security settings of Internet Explorer

Execution of CURL command

Checks supported languages

The sample compiled with english language support

Prints a route via ROUTE.EXE

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests