ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2023, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe
Size

1.1MB
MD5

ee4c7c61731dbfc73f678eed5b114f18
SHA1

e3ca1b46f7606091eb86ea455668764bbe40938b
SHA256

ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5
SHA512

6738dc06c4590309ab0ed3dcf2898119259d01fa569f7420ccefd09378905f407dcafd4542a7fc03f3b2796f107c29602f8bcc62c756eee6f1ee5bbd25904e1a
SSDEEP

24576:2yzxFX+MPYBPNs7C6aEW5kB7hIrp7axuDBLSPvBDC:Fz6MPsNs7dalCphUU+BLYv

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr064745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr064745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr064745.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr064745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr064745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr064745.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si104085.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4672	un513354.exe
4504	un178379.exe
548	pr064745.exe
2464	qu037304.exe
460	rk441228.exe
4924	si104085.exe
4980	oneetx.exe
4656	oneetx.exe
4536	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4256	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr064745.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr064745.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un178379.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un513354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un513354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un178379.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
2020	4924	WerFault.exe	92
1436	4924	WerFault.exe	92
4404	4924	WerFault.exe	92
1240	4924	WerFault.exe	92
2748	4924	WerFault.exe	92
4880	4924	WerFault.exe	92
4248	4924	WerFault.exe	92
4272	4924	WerFault.exe	92
3332	4924	WerFault.exe	92
4492	4924	WerFault.exe	92
4376	4980	WerFault.exe	113
4328	4980	WerFault.exe	113
4624	4980	WerFault.exe	113
4312	4980	WerFault.exe	113
1696	4980	WerFault.exe	113
1544	4980	WerFault.exe	113
400	4980	WerFault.exe	113
2472	4980	WerFault.exe	113
2980	4980	WerFault.exe	113
3292	4980	WerFault.exe	113
1372	4980	WerFault.exe	113
2452	4980	WerFault.exe	113
548	4980	WerFault.exe	113
3836	4980	WerFault.exe	113
2900	4656	WerFault.exe	157
3712	4980	WerFault.exe	113
4148	4980	WerFault.exe	113
3444	4980	WerFault.exe	113
2852	4536	WerFault.exe	167

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
548	pr064745.exe
548	pr064745.exe
2464	qu037304.exe
2464	qu037304.exe
460	rk441228.exe
460	rk441228.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	pr064745.exe
Token: SeDebugPrivilege	2464	qu037304.exe
Token: SeDebugPrivilege	460	rk441228.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	si104085.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4672	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	84
PID 4636 wrote to memory of 4672	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	84
PID 4636 wrote to memory of 4672	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	84
PID 4672 wrote to memory of 4504	4672	un513354.exe	85
PID 4672 wrote to memory of 4504	4672	un513354.exe	85
PID 4672 wrote to memory of 4504	4672	un513354.exe	85
PID 4504 wrote to memory of 548	4504	un178379.exe	86
PID 4504 wrote to memory of 548	4504	un178379.exe	86
PID 4504 wrote to memory of 548	4504	un178379.exe	86
PID 4504 wrote to memory of 2464	4504	un178379.exe	90
PID 4504 wrote to memory of 2464	4504	un178379.exe	90
PID 4504 wrote to memory of 2464	4504	un178379.exe	90
PID 4672 wrote to memory of 460	4672	un513354.exe	91
PID 4672 wrote to memory of 460	4672	un513354.exe	91
PID 4672 wrote to memory of 460	4672	un513354.exe	91
PID 4636 wrote to memory of 4924	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	92
PID 4636 wrote to memory of 4924	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	92
PID 4636 wrote to memory of 4924	4636	ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe	92
PID 4924 wrote to memory of 4980	4924	si104085.exe	113
PID 4924 wrote to memory of 4980	4924	si104085.exe	113
PID 4924 wrote to memory of 4980	4924	si104085.exe	113
PID 4980 wrote to memory of 2968	4980	oneetx.exe	130
PID 4980 wrote to memory of 2968	4980	oneetx.exe	130
PID 4980 wrote to memory of 2968	4980	oneetx.exe	130
PID 4980 wrote to memory of 3800	4980	oneetx.exe	136
PID 4980 wrote to memory of 3800	4980	oneetx.exe	136
PID 4980 wrote to memory of 3800	4980	oneetx.exe	136
PID 3800 wrote to memory of 232	3800	cmd.exe	140
PID 3800 wrote to memory of 232	3800	cmd.exe	140
PID 3800 wrote to memory of 232	3800	cmd.exe	140
PID 3800 wrote to memory of 408	3800	cmd.exe	141
PID 3800 wrote to memory of 408	3800	cmd.exe	141
PID 3800 wrote to memory of 408	3800	cmd.exe	141
PID 3800 wrote to memory of 2444	3800	cmd.exe	142
PID 3800 wrote to memory of 2444	3800	cmd.exe	142
PID 3800 wrote to memory of 2444	3800	cmd.exe	142
PID 3800 wrote to memory of 2304	3800	cmd.exe	143
PID 3800 wrote to memory of 2304	3800	cmd.exe	143
PID 3800 wrote to memory of 2304	3800	cmd.exe	143
PID 3800 wrote to memory of 4628	3800	cmd.exe	145
PID 3800 wrote to memory of 4628	3800	cmd.exe	145
PID 3800 wrote to memory of 4628	3800	cmd.exe	145
PID 3800 wrote to memory of 4432	3800	cmd.exe	146
PID 3800 wrote to memory of 4432	3800	cmd.exe	146
PID 3800 wrote to memory of 4432	3800	cmd.exe	146
PID 4980 wrote to memory of 4256	4980	oneetx.exe	162
PID 4980 wrote to memory of 4256	4980	oneetx.exe	162
PID 4980 wrote to memory of 4256	4980	oneetx.exe	162

C:\Users\Admin\AppData\Local\Temp\ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe
"C:\Users\Admin\AppData\Local\Temp\ca39f89251b271bb6ffdca38b81f7eca21b1a431f855e57ce1f19f447ad640b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un513354.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un513354.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un178379.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un178379.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr064745.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr064745.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu037304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu037304.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441228.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441228.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104085.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104085.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 696
    3⤵
    - Program crash
    PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 772
    3⤵
    - Program crash
    PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 800
    3⤵
    - Program crash
    PID:4404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 972
    3⤵
    - Program crash
    PID:1240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 940
    3⤵
    - Program crash
    PID:2748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 984
    3⤵
    - Program crash
    PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1212
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1212
    3⤵
    - Program crash
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1320
    3⤵
    - Program crash
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 692
      4⤵
      Program crash
      PID:4376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 836
      4⤵
      Program crash
      PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 832
      4⤵
      Program crash
      PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1052
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1088
      4⤵
      Program crash
      PID:1696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1080
      4⤵
      Program crash
      PID:1544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1092
      4⤵
      Program crash
      PID:400
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1000
      4⤵
      Program crash
      PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 776
      4⤵
      Program crash
      PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 904
      4⤵
      Program crash
      PID:3292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1292
      4⤵
      Program crash
      PID:1372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1276
      4⤵
      Program crash
      PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 744
      4⤵
      Program crash
      PID:548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1108
      4⤵
      Program crash
      PID:3836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1088
      4⤵
      Program crash
      PID:3712
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1612
      4⤵
      Program crash
      PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1676
      4⤵
      Program crash
      PID:3444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1432
    3⤵
    - Program crash
    PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4924 -ip 4924
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4924 -ip 4924
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4924 -ip 4924
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4924 -ip 4924
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4924 -ip 4924
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4924 -ip 4924
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4924 -ip 4924
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4924 -ip 4924
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4924 -ip 4924
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4924 -ip 4924
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 4980
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4980 -ip 4980
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 4980
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 4980
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4980 -ip 4980
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4980 -ip 4980
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4980 -ip 4980
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4980 -ip 4980
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4980 -ip 4980
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4980 -ip 4980
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4980 -ip 4980
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 316
  2⤵
  - Program crash
  PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4656 -ip 4656
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4980 -ip 4980
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4980 -ip 4980
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4980 -ip 4980
1⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 312
  2⤵
  - Program crash
  PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4536 -ip 4536
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104085.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si104085.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un513354.exe

Filesize
764KB

MD5
9ee518e5b4ae55b23d5aa23112610dfa

SHA1
6fe90e9a96ab12961ceefd42405a801f40e69ccb

SHA256
9adafade7597e4cc72c02f3cc891f7b6ccbdd96f637053a7693488dd982713ac

SHA512
9daa98927386a526706fd0ca6ae33b4465c1ca05ddc78c55df1c9248b98192d522211ea850b0d0426dd25fafefac30a110e86cf6590fe17e40b78ba0520178aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un513354.exe

Filesize
764KB

MD5
9ee518e5b4ae55b23d5aa23112610dfa

SHA1
6fe90e9a96ab12961ceefd42405a801f40e69ccb

SHA256
9adafade7597e4cc72c02f3cc891f7b6ccbdd96f637053a7693488dd982713ac

SHA512
9daa98927386a526706fd0ca6ae33b4465c1ca05ddc78c55df1c9248b98192d522211ea850b0d0426dd25fafefac30a110e86cf6590fe17e40b78ba0520178aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441228.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk441228.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un178379.exe

Filesize
609KB

MD5
d61b12d9ba11b3af186aff38669f3c86

SHA1
b82eb8b0bb827f87ffde1e2017bba9fdd3c57be9

SHA256
a978ffc974867022de67527d2034dae326e28e04b3fd2cec629b0d9e03922063

SHA512
89c093fd6d8e095bcf26c6950fe36671e8bf082c458bbbd59b4e3f62d51221df94455316fe7ebfcc93782ae744af4a95aa287be668a603d7bbd78211005d9054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un178379.exe

Filesize
609KB

MD5
d61b12d9ba11b3af186aff38669f3c86

SHA1
b82eb8b0bb827f87ffde1e2017bba9fdd3c57be9

SHA256
a978ffc974867022de67527d2034dae326e28e04b3fd2cec629b0d9e03922063

SHA512
89c093fd6d8e095bcf26c6950fe36671e8bf082c458bbbd59b4e3f62d51221df94455316fe7ebfcc93782ae744af4a95aa287be668a603d7bbd78211005d9054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr064745.exe

Filesize
402KB

MD5
de57ed60cedb616f20db8a8666aecd30

SHA1
6d265caad1353d023f2f314c3dcd759449e90235

SHA256
afebd9eb18d202985918a79348e1e4f549a6bd9effabc7ac1d8082a6081b9632

SHA512
5689e75b68e22dbd8858d0473749eb8c414bdf4b32dec6fccafbc57505f7674685a55d546b7f52887d1f2b467eb6e62b23b18fd913333fd38c5181fe99bb349c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr064745.exe

Filesize
402KB

MD5
de57ed60cedb616f20db8a8666aecd30

SHA1
6d265caad1353d023f2f314c3dcd759449e90235

SHA256
afebd9eb18d202985918a79348e1e4f549a6bd9effabc7ac1d8082a6081b9632

SHA512
5689e75b68e22dbd8858d0473749eb8c414bdf4b32dec6fccafbc57505f7674685a55d546b7f52887d1f2b467eb6e62b23b18fd913333fd38c5181fe99bb349c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu037304.exe

Filesize
485KB

MD5
c3676fda1d19df4cf94e5306e1746b24

SHA1
a87cd3ee35de4dfb36838dd6637de0eb5a6e0a9d

SHA256
070d9c70503d99b89b11658cce05b8f693f771e16696d46a6effb73c3a5a253c

SHA512
67c5919e7ed94582552bdf0c9dfd0879235bacc17c311fa4557c1ecfe09b22408c99c9629ace76914c07c86b61ef18927eb6379f65c4e7bd09a730c092c8dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu037304.exe

Filesize
485KB

MD5
c3676fda1d19df4cf94e5306e1746b24

SHA1
a87cd3ee35de4dfb36838dd6637de0eb5a6e0a9d

SHA256
070d9c70503d99b89b11658cce05b8f693f771e16696d46a6effb73c3a5a253c

SHA512
67c5919e7ed94582552bdf0c9dfd0879235bacc17c311fa4557c1ecfe09b22408c99c9629ace76914c07c86b61ef18927eb6379f65c4e7bd09a730c092c8dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/460-1010-0x0000000000890000-0x00000000008B8000-memory.dmp

Filesize
160KB

Download
memory/460-1011-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/548-172-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-192-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/548-178-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-180-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-182-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-184-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-186-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-187-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/548-188-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/548-189-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/548-190-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/548-176-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-174-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-170-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-168-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-166-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-164-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-162-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-160-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-159-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/548-158-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/548-156-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/548-157-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/548-155-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/2464-203-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-1000-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/2464-220-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-222-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-224-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-226-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-228-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-230-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-232-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-234-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-993-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/2464-994-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2464-995-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2464-996-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2464-997-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2464-998-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/2464-999-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/2464-218-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-1001-0x0000000008CF0000-0x0000000008D0E000-memory.dmp

Filesize
120KB

Download
memory/2464-216-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-214-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-212-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-1002-0x0000000008E10000-0x0000000008FD2000-memory.dmp

Filesize
1.8MB

Download
memory/2464-1003-0x0000000008FE0000-0x000000000950C000-memory.dmp

Filesize
5.2MB

Download
memory/2464-1004-0x00000000028E0000-0x0000000002930000-memory.dmp

Filesize
320KB

Download
memory/2464-197-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-207-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2464-210-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-208-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-205-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2464-204-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2464-202-0x0000000000980000-0x00000000009C6000-memory.dmp

Filesize
280KB

Download
memory/2464-200-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/2464-198-0x00000000029C0000-0x00000000029F5000-memory.dmp

Filesize
212KB

Download
memory/4924-1017-0x0000000002370000-0x00000000023A5000-memory.dmp

Filesize
212KB

Download