purecrypter | ef43ed5973818d582ba04e996418f3927fe48a602a17fb2f81a0615e738b31ea

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
Size

186KB
MD5

0d651f4983af1acac13a75afe35a37f6
SHA1

1dfc88725586fdbe4011622e35e08b109b1ec230
SHA256

ef43ed5973818d582ba04e996418f3927fe48a602a17fb2f81a0615e738b31ea
SHA512

f47bdba0103ee36a1f30905ae36ba8d0012e5afbd160296477e0b4d5cc0ed9b225172cdc7cc027600eebf002d6c26494674993ad43f9ddaf43508fd8703aa416
SSDEEP

768:boNvFJ2M99CKKFObL0wL81g30Ni93w6Y/KMNabGJLyRhZtnZE4uwyu0:bU399CzqCg30gC6Y/KMNabGJLyRhbRU

Score

10^/10

purecrypter discovery downloader loader

Malware Config

Extracted

Family

purecrypter

https://store2.gofile.io/download/6de6793b-1d8c-4ad4-adfe-8e28f421bbe6/Ysyxiz.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	4476	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2376	powershell.exe
2376	powershell.exe
4460	powershell.exe
4460	powershell.exe
2932	powershell.exe
2932	powershell.exe
3012	powershell.exe
3012	powershell.exe
2844	powershell.exe
2844	powershell.exe
1544	powershell.exe
1544	powershell.exe
2260	powershell.exe
2260	powershell.exe
3892	powershell.exe
3892	powershell.exe
4428	powershell.exe
4428	powershell.exe
4420	powershell.exe
4420	powershell.exe
4560	powershell.exe
4560	powershell.exe
3992	powershell.exe
3992	powershell.exe
4924	powershell.exe
4924	powershell.exe
2804	powershell.exe
2804	powershell.exe
3604	powershell.exe
3604	powershell.exe
4860	powershell.exe
4860	powershell.exe
4396	powershell.exe
4396	powershell.exe
4312	powershell.exe
4312	powershell.exe
3980	powershell.exe
3980	powershell.exe
2920	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemProfilePrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeProfSingleProcessPrivilege	2376	powershell.exe
Token: SeIncBasePriorityPrivilege	2376	powershell.exe
Token: SeCreatePagefilePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeRemoteShutdownPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe
Token: SeManageVolumePrivilege	2376	powershell.exe
Token: 33	2376	powershell.exe
Token: 34	2376	powershell.exe
Token: 35	2376	powershell.exe
Token: 36	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemProfilePrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeProfSingleProcessPrivilege	2376	powershell.exe
Token: SeIncBasePriorityPrivilege	2376	powershell.exe
Token: SeCreatePagefilePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeRemoteShutdownPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe
Token: SeManageVolumePrivilege	2376	powershell.exe
Token: 33	2376	powershell.exe
Token: 34	2376	powershell.exe
Token: 35	2376	powershell.exe
Token: 36	2376	powershell.exe
Token: SeIncreaseQuotaPrivilege	2376	powershell.exe
Token: SeSecurityPrivilege	2376	powershell.exe
Token: SeTakeOwnershipPrivilege	2376	powershell.exe
Token: SeLoadDriverPrivilege	2376	powershell.exe
Token: SeSystemProfilePrivilege	2376	powershell.exe
Token: SeSystemtimePrivilege	2376	powershell.exe
Token: SeProfSingleProcessPrivilege	2376	powershell.exe
Token: SeIncBasePriorityPrivilege	2376	powershell.exe
Token: SeCreatePagefilePrivilege	2376	powershell.exe
Token: SeBackupPrivilege	2376	powershell.exe
Token: SeRestorePrivilege	2376	powershell.exe
Token: SeShutdownPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeSystemEnvironmentPrivilege	2376	powershell.exe
Token: SeRemoteShutdownPrivilege	2376	powershell.exe
Token: SeUndockPrivilege	2376	powershell.exe
Token: SeManageVolumePrivilege	2376	powershell.exe
Token: 33	2376	powershell.exe
Token: 34	2376	powershell.exe
Token: 35	2376	powershell.exe
Token: 36	2376	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2376	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	82
PID 4476 wrote to memory of 2376	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	82
PID 4476 wrote to memory of 2376	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	82
PID 4476 wrote to memory of 4460	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	93
PID 4476 wrote to memory of 4460	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	93
PID 4476 wrote to memory of 4460	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	93
PID 4476 wrote to memory of 2932	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	95
PID 4476 wrote to memory of 2932	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	95
PID 4476 wrote to memory of 2932	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	95
PID 4476 wrote to memory of 3012	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	97
PID 4476 wrote to memory of 3012	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	97
PID 4476 wrote to memory of 3012	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	97
PID 4476 wrote to memory of 2844	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	100
PID 4476 wrote to memory of 2844	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	100
PID 4476 wrote to memory of 2844	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	100
PID 4476 wrote to memory of 1544	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	103
PID 4476 wrote to memory of 1544	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	103
PID 4476 wrote to memory of 1544	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	103
PID 4476 wrote to memory of 2260	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	105
PID 4476 wrote to memory of 2260	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	105
PID 4476 wrote to memory of 2260	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	105
PID 4476 wrote to memory of 3892	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	107
PID 4476 wrote to memory of 3892	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	107
PID 4476 wrote to memory of 3892	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	107
PID 4476 wrote to memory of 4428	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	109
PID 4476 wrote to memory of 4428	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	109
PID 4476 wrote to memory of 4428	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	109
PID 4476 wrote to memory of 4420	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	111
PID 4476 wrote to memory of 4420	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	111
PID 4476 wrote to memory of 4420	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	111
PID 4476 wrote to memory of 4560	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	113
PID 4476 wrote to memory of 4560	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	113
PID 4476 wrote to memory of 4560	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	113
PID 4476 wrote to memory of 3992	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	115
PID 4476 wrote to memory of 3992	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	115
PID 4476 wrote to memory of 3992	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	115
PID 4476 wrote to memory of 4924	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	117
PID 4476 wrote to memory of 4924	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	117
PID 4476 wrote to memory of 4924	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	117
PID 4476 wrote to memory of 2804	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	119
PID 4476 wrote to memory of 2804	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	119
PID 4476 wrote to memory of 2804	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	119
PID 4476 wrote to memory of 3604	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	121
PID 4476 wrote to memory of 3604	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	121
PID 4476 wrote to memory of 3604	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	121
PID 4476 wrote to memory of 4860	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	123
PID 4476 wrote to memory of 4860	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	123
PID 4476 wrote to memory of 4860	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	123
PID 4476 wrote to memory of 4396	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	125
PID 4476 wrote to memory of 4396	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	125
PID 4476 wrote to memory of 4396	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	125
PID 4476 wrote to memory of 4312	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	127
PID 4476 wrote to memory of 4312	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	127
PID 4476 wrote to memory of 4312	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	127
PID 4476 wrote to memory of 3980	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	129
PID 4476 wrote to memory of 3980	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	129
PID 4476 wrote to memory of 3980	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	129
PID 4476 wrote to memory of 2920	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	131
PID 4476 wrote to memory of 2920	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	131
PID 4476 wrote to memory of 2920	4476	0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe	131

C:\Users\Admin\AppData\Local\Temp\0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d651f4983af1acac13a75afe35a37f6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 2120
  2⤵
  - Program crash
  PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4476 -ip 4476
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c018e16dd35f28481778200f64d48f7d

SHA1
1c62dc5094a3c3c1a029a6c364e085f8b394a5f8

SHA256
1eca7f2483e92089e119033f7da113033c06f53bd1925eb2029fcbd00cf14425

SHA512
2b100699503cb3c9775faf2ccb3f2365fa412eef29e2d8e631e1fa606bd2c5a4652c3dfb929da0d9964fd1ccf123ee81c509a9a45b03028fb045c6ce3f6c19c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
8c92e399d2bef6316b26e003296f2685

SHA1
7e146fbde00c33727d14b9fff67d0312e35557ca

SHA256
c1477727a6a85c681d0ab43058cedf4a02e2bb5a1691542e3553d79204295cc4

SHA512
3d0f086a9d8c2a2c06344929385ec6100a6601a944f4fe36aeeb3e1a954bfd785ec9b5d4a3ec5c573e61e5320abce7b5d1ab5dc25a8f7b3a346046f5e073a16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
f50e468874d4e289e4b51af602c36ebb

SHA1
1a52da2458f0abd6767b4137e359eb423a363313

SHA256
90a9facdc656a57d9d9d9b9e51036bc61edd2d900fcf486689d2c0244431c733

SHA512
9debb1b63b32b5fb99fbff036436583410f9a2bcac314e472c6244e6769d068576ff1d5b3624f364bf46496a1468295daca1418871a97213b2abc1c2170b4cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
e69e63cfde5f2d6de8bd7744fd369cf7

SHA1
450fbcde8e03cc9ecf9a09c4f9d7868761e7f923

SHA256
8bafe7fe0f2784d9fad15dcce9cdec32a7553c7d724068798f85f838565d7ba3

SHA512
067a74946812321f87a39e7f1a3dcb052ca4c4a18c958e2532cbd6d4d8eaf6824d3703fb9078d5a1276a203f51a420636be6fa0a54f75ff0a462608818bfa20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
a85a98c7496c1d4e63d6300d53a96d85

SHA1
67ec3a901b6c351853682ba0c2c098b98e3fadb5

SHA256
7e9a28112ef07279f1670da6600128856f65186e46db177ac3e9b2e023d9fab4

SHA512
e9dc3c816ae72aa9b6aadd21329302d24159228b4e48ada34f3855c9ed7e5f751091f6d01a1b1b330397ca6761421dac380255640ce5cd802a308c7ef83ad906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
0818251ff946d4c36b79c4068fe25301

SHA1
8abbb4c4c6e44a1fe01375a512d22ce24347c8e0

SHA256
7a45e4b5b1b3c2fb8fc75e042d66b43dba4d58f27b8906375bf09ccb95e99f75

SHA512
ffcd733015f01996223061c4a82b9088377a3166c2d8b40b2119aae8da13de9ca35271fa3fc2ea5022e953ef723c1dfd939c917ca079801bbe523f4c12bac5ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
311820ded18e31c691ef973c5db36b91

SHA1
81eedc4aadcfeadae8c333b4329728274f9ede7a

SHA256
7ccb92735431f272ad90039a3200c6a115644d4439cc5a612c64d988f1d0d0e5

SHA512
f29ed2817145780d11ab0ce26d8deb1a2b8c8730dd168e288ca225735ce51a1c85ed56be55a045e7782170355e4cf727d988ac3fe43df1cad98e98cbec215fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
80b9b6c94738a7983e4169d5492206fa

SHA1
34710faf1a4952b14d5afff83f9a41f76d54120c

SHA256
033ae24b9c98ee4fc28daf9d73b79660de44292170adae352889be102e2dbce2

SHA512
f263ebe89ef7e2882b6c13eaa398c768081366231dca8dc4f42d40afd120232e2570e77d9070169164fd09adfc29ee293d22489f4c4ccda52d42fdf3231e4221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
35c4fecc6e6387cfbbb9b3de2ce00bb1

SHA1
e1612bf1f814eabc5c62e345f30cbd5170da71c5

SHA256
bc991e23ddec64b92f53925585dfd019c5cdf49ba6ab3c20fec430615d7e08f3

SHA512
1457e572bd7298ae831a208321c1808c3921c5a8a01a3160d71bd6d53d0cec84f216655556dbe63e4a085e6666d287a1c689563c81386d533b93e29515f26396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
b3843ec40855a16c9892125b22ce291a

SHA1
6074fea3826c93e9fed40d72b9e080d4c94d4942

SHA256
444d1e521c22dd717a9d4b6709ee584fdf534042f37aa196a1fff63a1429e53d

SHA512
7185fd28c26ef17266be32163f5f86eb1aa09137ab3ab37fc87065fba14d2ccb112e6eb60193ccb98e9817a44c0e7e9f5f4b20075a70f61fb8eb63de5d37615c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
976119f7bc2f5f30575df0465cbd9f28

SHA1
3167e725e213f272f03993367ac9cb684a83e359

SHA256
fbbf7f1701e182bf92804e305235cc16c20a422ba36a985f1681047cee4dc854

SHA512
94ebdd278d001366447b391bd8bd986dc594d44cbbbf405e3e3c3eb33406ccb6002af80104503479ff1af34bd64d5c96adbdd959ccb24498af1acd72350b9754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
86dbef9b52431b02c793609322688ae6

SHA1
c3245a8519fbdf75dbbd7834151396d51b6532c3

SHA256
3a89ba4bd72fa15a1563728851153e4f1420985874b898cf76e2703a3d37d79c

SHA512
1cc106d11b7b28d6780744c43d4746928f316593e069b43c52decc82532aedfbb1bad5d11a11f5f880642a67f9d4db4060aeeac047d4c3a6d6f9cbb049753a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
6906f84570566d4ceb37f907feaf2b28

SHA1
cf4f6caf37744b77401263b4fd500acbecacf9da

SHA256
a3a94500190f187538c8abfa6fe04a4b98b68d300b740adc960d116dcdb1a2eb

SHA512
640a9d2defb757e4e36df2329fc33c89c6603dbd8e0216e2a8accb2bfc5deec7c71cd719a8355cd83c6c48e0ed46994037605eb2bf12fc17756464d9fdd6adaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
12cb4d4b4ac736431655dd7638d8107f

SHA1
f3464fd916a2f1356f240bdea5dad42e37f37657

SHA256
63753f98fdadc4f675e39931a5c8a70cd8338b1d5da372483d254d91b075f0d7

SHA512
5705fdc0d33f341f10e11ce371917215c7742dd2ca9c5688a5eade10b94034f94de8e1c2c155cc26eb925490d76e4523cd127137379768457cbcc4e062689b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
0b0a2eee3438201580a5de82ab4454ab

SHA1
32a249d94ee8ed22d087310f37a6be67b404112d

SHA256
14c67a72eb3f87147c663816ed51e794c1cf03578161b4412f9a8ee84f519cfd

SHA512
56509b34598b2973c4ea5b7da78a1c05d2c313cd2b8a2e025db09d4ff7bf0487d837874bc902600cc24d7e6afc91b16b37486f78972329fcbfc023241fb43b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
251420e544432cfd5b5fde766dc509a9

SHA1
410fdba8b3dd0574dd6120c3c039c2f687fd00d9

SHA256
8a7fb696aa3b7ff8ce9175b145ed32eaf6302abf32bd72206e05c71e2ae07a94

SHA512
e7e0dbfc6d7a33aec4f99f788815bbf54a85d48afb61f8b6916c96c0ab0ac12daff5ed01b2b5b8526eaed547a7b477a6feac4b1a20f6135f6a31a8a4cd1aa300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
b66ea8809a6f6fa5ccec75757663af51

SHA1
d4b3948906980dca1ac177fe389ef592392ca313

SHA256
dfd97e9444c7bfcd3b8dec1d272ce1fc78d980a163d22258b9971ec808eb2016

SHA512
abe903de8a075bb86470db5872dbe0b47262bbf8332839ae046d59e04de7b53460ed9c185bd7499cf51a27c130d539e363d6ce4f094ecfa2805e9fb913ed1559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
9486dc89e747594b756b4ca82a6e7d20

SHA1
5aff807bf68f4ce5e6e0c916918157c85e6ac631

SHA256
aa56acd8b04dea97e0ad1e661ad772d3330553646cea3f56a18a4e3e377f52a6

SHA512
278ffda4edf1b4305dfe07b4c3c17879aba0fce0e64f28f769aab68760c637936e64633504bc8c7b6dc4b33cde33aa76b3d57e9a4b01fca6d2c6cb9b8b172c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
85ea68108c3b4bff4d35380233e7cbdd

SHA1
21689b1a8ebd3f09212026895605af7220f12174

SHA256
b44f8bd0af991ad78feb730074946019949690be4f8b8361d6568b5600f304f8

SHA512
e0ef5ae0ccb7f25beecf6158e156528f053b86e3df157bb65c187071161cfa79a4203bc9fd873a1240a8de821d1ca7186b7a8213b653466e00d6633e0be16c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
23KB

MD5
1e69dec8159c2f0fd43e5b4ec141c93f

SHA1
19f1e7827a576d7f39a8cec2df5b0f387dd0ba25

SHA256
51e52416e291fe5c66f455e6ad93aa2dd7fab91e26e301a22a3d80e48bceb732

SHA512
07c0d429a54338347429fbb7eeec10e5b3a4a0215f9d1299d142731287a00699ed4e9df574721ae4011b373a6a4d8676cd13dc70acc66086383b69b3d4b891d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i25lefdg.ivc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1544-159-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2260-180-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2376-38-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/2376-32-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-42-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/2376-43-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/2376-44-0x00000000078A0000-0x00000000078CA000-memory.dmp

Filesize
168KB

Download
memory/2376-45-0x00000000078D0000-0x00000000078F4000-memory.dmp

Filesize
144KB

Download
memory/2376-18-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/2376-47-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-48-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-49-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/2376-50-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-51-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-52-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-53-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-56-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-40-0x0000000007610000-0x00000000076A6000-memory.dmp

Filesize
600KB

Download
memory/2376-7-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/2376-2-0x0000000002740000-0x0000000002776000-memory.dmp

Filesize
216KB

Download
memory/2376-3-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-39-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/2376-5-0x00000000051F0000-0x0000000005818000-memory.dmp

Filesize
6.2MB

Download
memory/2376-8-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2376-19-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/2376-6-0x0000000005070000-0x0000000005092000-memory.dmp

Filesize
136KB

Download
memory/2376-20-0x0000000006090000-0x00000000060DC000-memory.dmp

Filesize
304KB

Download
memory/2376-37-0x0000000007A10000-0x000000000808A000-memory.dmp

Filesize
6.5MB

Download
memory/2376-22-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2376-21-0x0000000006FC0000-0x0000000006FF2000-memory.dmp

Filesize
200KB

Download
memory/2376-36-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-41-0x0000000007590000-0x00000000075A1000-memory.dmp

Filesize
68KB

Download
memory/2376-33-0x0000000007000000-0x000000000701E000-memory.dmp

Filesize
120KB

Download
memory/2376-35-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/2376-34-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2804-328-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2844-138-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2844-129-0x0000000005F80000-0x00000000062D4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-455-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2932-95-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/2932-89-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-116-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3604-348-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/3604-350-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3892-201-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3980-434-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3992-286-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3992-284-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4312-413-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4396-392-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4420-243-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4428-222-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4460-83-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4460-72-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4460-60-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4460-66-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/4460-59-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4460-58-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4476-1-0x0000000000E70000-0x0000000000EA4000-memory.dmp

Filesize
208KB

Download
memory/4476-46-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4560-264-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4860-371-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4924-307-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download