Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 01:57
Behavioral task
behavioral1
Sample
0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
-
Size
186KB
-
MD5
0d651f4983af1acac13a75afe35a37f6
-
SHA1
1dfc88725586fdbe4011622e35e08b109b1ec230
-
SHA256
ef43ed5973818d582ba04e996418f3927fe48a602a17fb2f81a0615e738b31ea
-
SHA512
f47bdba0103ee36a1f30905ae36ba8d0012e5afbd160296477e0b4d5cc0ed9b225172cdc7cc027600eebf002d6c26494674993ad43f9ddaf43508fd8703aa416
-
SSDEEP
768:boNvFJ2M99CKKFObL0wL81g30Ni93w6Y/KMNabGJLyRhZtnZE4uwyu0:bU399CzqCg30gC6Y/KMNabGJLyRhbRU
Malware Config
Extracted
purecrypter
https://store2.gofile.io/download/6de6793b-1d8c-4ad4-adfe-8e28f421bbe6/Ysyxiz.dll
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2992 2440 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2740 powershell.exe 2184 powershell.exe 2536 powershell.exe 2112 powershell.exe 3012 powershell.exe 2228 powershell.exe 2808 powershell.exe 2848 powershell.exe 1900 powershell.exe 2460 powershell.exe 844 powershell.exe 344 powershell.exe 1732 powershell.exe 292 powershell.exe 2424 powershell.exe 2516 powershell.exe 2468 powershell.exe 2736 powershell.exe 2588 powershell.exe 3040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2740 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2740 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2740 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2740 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2184 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 32 PID 2440 wrote to memory of 2184 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 32 PID 2440 wrote to memory of 2184 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 32 PID 2440 wrote to memory of 2184 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 32 PID 2440 wrote to memory of 2536 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 34 PID 2440 wrote to memory of 2536 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 34 PID 2440 wrote to memory of 2536 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 34 PID 2440 wrote to memory of 2536 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 34 PID 2440 wrote to memory of 2112 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 36 PID 2440 wrote to memory of 2112 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 36 PID 2440 wrote to memory of 2112 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 36 PID 2440 wrote to memory of 2112 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 36 PID 2440 wrote to memory of 3012 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 38 PID 2440 wrote to memory of 3012 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 38 PID 2440 wrote to memory of 3012 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 38 PID 2440 wrote to memory of 3012 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 38 PID 2440 wrote to memory of 2228 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 40 PID 2440 wrote to memory of 2228 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 40 PID 2440 wrote to memory of 2228 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 40 PID 2440 wrote to memory of 2228 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 40 PID 2440 wrote to memory of 2808 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 42 PID 2440 wrote to memory of 2808 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 42 PID 2440 wrote to memory of 2808 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 42 PID 2440 wrote to memory of 2808 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 42 PID 2440 wrote to memory of 2848 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 44 PID 2440 wrote to memory of 2848 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 44 PID 2440 wrote to memory of 2848 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 44 PID 2440 wrote to memory of 2848 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 44 PID 2440 wrote to memory of 1900 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 46 PID 2440 wrote to memory of 1900 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 46 PID 2440 wrote to memory of 1900 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 46 PID 2440 wrote to memory of 1900 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 46 PID 2440 wrote to memory of 2460 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 48 PID 2440 wrote to memory of 2460 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 48 PID 2440 wrote to memory of 2460 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 48 PID 2440 wrote to memory of 2460 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 48 PID 2440 wrote to memory of 844 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 50 PID 2440 wrote to memory of 844 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 50 PID 2440 wrote to memory of 844 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 50 PID 2440 wrote to memory of 844 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 50 PID 2440 wrote to memory of 344 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 52 PID 2440 wrote to memory of 344 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 52 PID 2440 wrote to memory of 344 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 52 PID 2440 wrote to memory of 344 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 52 PID 2440 wrote to memory of 1732 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 54 PID 2440 wrote to memory of 1732 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 54 PID 2440 wrote to memory of 1732 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 54 PID 2440 wrote to memory of 1732 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 54 PID 2440 wrote to memory of 292 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 56 PID 2440 wrote to memory of 292 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 56 PID 2440 wrote to memory of 292 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 56 PID 2440 wrote to memory of 292 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 56 PID 2440 wrote to memory of 2424 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 58 PID 2440 wrote to memory of 2424 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 58 PID 2440 wrote to memory of 2424 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 58 PID 2440 wrote to memory of 2424 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 58 PID 2440 wrote to memory of 2516 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 60 PID 2440 wrote to memory of 2516 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 60 PID 2440 wrote to memory of 2516 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 60 PID 2440 wrote to memory of 2516 2440 0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 16202⤵
- Program crash
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5777c32c8e978d6a2113afa539d3c7b5f
SHA1375047449b33ee9b0689f11ffe226b37f171a722
SHA2564dc64ecba74e0398feb9bb6ebffd1cda0af59f1e241507385da4f777af1d195e
SHA51202b694b4998b2766085e26b3c0778a026c412e76ed05b6a533720fe4e0a5485bf3773eeb6decb2923ee59eba8f692bb949dafcf8e5e5b7bebe7cf6d5fb852f3f