purecrypter | 893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef

General

Target

e4d9015e2bed3af0480b51231b68bb23.exe
Size

194KB
MD5

e4d9015e2bed3af0480b51231b68bb23
SHA1

c148f8cc0d8930602a00155cc0f370d2e22a811a
SHA256

893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef
SHA512

5bc66c3aac2497c2e3df851dc75011cf529a0fd76ab18280a626c4a2975b07e740ed74cbb6afe9b4ea518d4a2772f5783120c3881ff551ef2be14abb0842c665
SSDEEP

6144:+rdOfeBDRzseSmV7v2PCc4gorppZiG73TAW:+rdOfeia79

Score

10^/10

purecrypter collection downloader loader spyware stealer

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1884-56-0x00000000072E0000-0x00000000075E4000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description pid process target process

PID 1884 set thread context of 988 1884 e4d9015e2bed3af0480b51231b68bb23.exe e4d9015e2bed3af0480b51231b68bb23.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1280 988 WerFault.exe e4d9015e2bed3af0480b51231b68bb23.exe

flow	ioc
5	ipinfo.io
6	ipinfo.io

description	pid	process	target process
PID 1884 set thread context of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe

pid	pid_target	process	target process
1280	988	WerFault.exe	e4d9015e2bed3af0480b51231b68bb23.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e4d9015e2bed3af0480b51231b68bb23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e4d9015e2bed3af0480b51231b68bb23.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e4d9015e2bed3af0480b51231b68bb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

280 powershell.exe

pid	process
280	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exepowershell.exee4d9015e2bed3af0480b51231b68bb23.exe

description	pid	process
Token: SeDebugPrivilege	1884	e4d9015e2bed3af0480b51231b68bb23.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	988	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exee4d9015e2bed3af0480b51231b68bb23.exe

description	pid	process	target process
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

outlook_win_path 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
"C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1880
3⤵
- Program crash
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-59-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5.7MB

Download
memory/280-61-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5.7MB

Download
memory/280-60-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5.7MB

Download
memory/280-57-0x0000000000000000-mapping.dmp

Download
memory/988-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-71-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-76-0x0000000007FD0000-0x0000000008082000-memory.dmp

Filesize
712KB

Download
memory/988-75-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/988-73-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-64-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-67-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-68-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-69-0x00000000004D215E-mapping.dmp

Download
memory/1280-77-0x0000000000000000-mapping.dmp

Download
memory/1884-56-0x00000000072E0000-0x00000000075E4000-memory.dmp

Filesize
3.0MB

Download
memory/1884-54-0x0000000001340000-0x0000000001376000-memory.dmp

Filesize
216KB

Download
memory/1884-62-0x0000000005A60000-0x0000000005B54000-memory.dmp

Filesize
976KB

Download
memory/1884-55-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads