e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 13:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe
Size

963KB
MD5

a566c8e207218d7c39982d50be49d855
SHA1

746848eb120d94325efb9eb2934e2c52a4e02673
SHA256

e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062
SHA512

e061adcbbebe4b970f92ca72b5358909f18914246fd546799de3a85da860641df0b2976ad8c7d967e6a76fc98073726e9c80289c3c8aae745394be8add863c49
SSDEEP

24576:eyXMISF3ZoF7tBmlIM6qqcA9fyrxDawqC3:taRk7jmPNqcAh4

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr796207.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si001523.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1524	un965022.exe
4716	un006519.exe
4504	pr796207.exe
224	qu570855.exe
1704	rk588434.exe
4432	si001523.exe
3252	oneetx.exe
4648	oneetx.exe
2164	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
456	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr796207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr796207.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un965022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un965022.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un006519.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un006519.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
3340	4504	WerFault.exe	85
4516	224	WerFault.exe	88
2312	4432	WerFault.exe	93
1472	4432	WerFault.exe	93
3708	4432	WerFault.exe	93
5000	4432	WerFault.exe	93
3860	4432	WerFault.exe	93
1432	4432	WerFault.exe	93
1820	4432	WerFault.exe	93
3348	4432	WerFault.exe	93
3256	4432	WerFault.exe	93
3732	4432	WerFault.exe	93
3404	3252	WerFault.exe	112
2808	3252	WerFault.exe	112
1712	3252	WerFault.exe	112
2868	3252	WerFault.exe	112
4928	3252	WerFault.exe	112
4236	3252	WerFault.exe	112
4884	3252	WerFault.exe	112
4072	3252	WerFault.exe	112
4264	3252	WerFault.exe	112
1104	3252	WerFault.exe	112
1688	3252	WerFault.exe	112
2924	3252	WerFault.exe	112
2780	3252	WerFault.exe	112
4516	4648	WerFault.exe	151
3580	3252	WerFault.exe	112
4160	3252	WerFault.exe	112
5080	3252	WerFault.exe	112
620	2164	WerFault.exe	161
1004	3252	WerFault.exe	112

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4504	pr796207.exe
4504	pr796207.exe
224	qu570855.exe
224	qu570855.exe
1704	rk588434.exe
1704	rk588434.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	pr796207.exe
Token: SeDebugPrivilege	224	qu570855.exe
Token: SeDebugPrivilege	1704	rk588434.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4432	si001523.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1524	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	83
PID 4684 wrote to memory of 1524	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	83
PID 4684 wrote to memory of 1524	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	83
PID 1524 wrote to memory of 4716	1524	un965022.exe	84
PID 1524 wrote to memory of 4716	1524	un965022.exe	84
PID 1524 wrote to memory of 4716	1524	un965022.exe	84
PID 4716 wrote to memory of 4504	4716	un006519.exe	85
PID 4716 wrote to memory of 4504	4716	un006519.exe	85
PID 4716 wrote to memory of 4504	4716	un006519.exe	85
PID 4716 wrote to memory of 224	4716	un006519.exe	88
PID 4716 wrote to memory of 224	4716	un006519.exe	88
PID 4716 wrote to memory of 224	4716	un006519.exe	88
PID 1524 wrote to memory of 1704	1524	un965022.exe	91
PID 1524 wrote to memory of 1704	1524	un965022.exe	91
PID 1524 wrote to memory of 1704	1524	un965022.exe	91
PID 4684 wrote to memory of 4432	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	93
PID 4684 wrote to memory of 4432	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	93
PID 4684 wrote to memory of 4432	4684	e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe	93
PID 4432 wrote to memory of 3252	4432	si001523.exe	112
PID 4432 wrote to memory of 3252	4432	si001523.exe	112
PID 4432 wrote to memory of 3252	4432	si001523.exe	112
PID 3252 wrote to memory of 1796	3252	oneetx.exe	129
PID 3252 wrote to memory of 1796	3252	oneetx.exe	129
PID 3252 wrote to memory of 1796	3252	oneetx.exe	129
PID 3252 wrote to memory of 2504	3252	oneetx.exe	135
PID 3252 wrote to memory of 2504	3252	oneetx.exe	135
PID 3252 wrote to memory of 2504	3252	oneetx.exe	135
PID 2504 wrote to memory of 1964	2504	cmd.exe	138
PID 2504 wrote to memory of 1964	2504	cmd.exe	138
PID 2504 wrote to memory of 1964	2504	cmd.exe	138
PID 2504 wrote to memory of 3868	2504	cmd.exe	139
PID 2504 wrote to memory of 3868	2504	cmd.exe	139
PID 2504 wrote to memory of 3868	2504	cmd.exe	139
PID 2504 wrote to memory of 1668	2504	cmd.exe	141
PID 2504 wrote to memory of 1668	2504	cmd.exe	141
PID 2504 wrote to memory of 1668	2504	cmd.exe	141
PID 2504 wrote to memory of 1728	2504	cmd.exe	142
PID 2504 wrote to memory of 1728	2504	cmd.exe	142
PID 2504 wrote to memory of 1728	2504	cmd.exe	142
PID 2504 wrote to memory of 1644	2504	cmd.exe	143
PID 2504 wrote to memory of 1644	2504	cmd.exe	143
PID 2504 wrote to memory of 1644	2504	cmd.exe	143
PID 2504 wrote to memory of 3924	2504	cmd.exe	144
PID 2504 wrote to memory of 3924	2504	cmd.exe	144
PID 2504 wrote to memory of 3924	2504	cmd.exe	144
PID 3252 wrote to memory of 456	3252	oneetx.exe	158
PID 3252 wrote to memory of 456	3252	oneetx.exe	158
PID 3252 wrote to memory of 456	3252	oneetx.exe	158

C:\Users\Admin\AppData\Local\Temp\e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe
"C:\Users\Admin\AppData\Local\Temp\e49c990d0603edb5f90b8c050fa2b008e649524a76db9eb2a5da19d40afb1062.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965022.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965022.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un006519.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un006519.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr796207.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr796207.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1080
        5⤵
        Program crash
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu570855.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu570855.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1960
        5⤵
        Program crash
        
        PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk588434.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk588434.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si001523.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si001523.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 708
    3⤵
    - Program crash
    PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 792
    3⤵
    - Program crash
    PID:1472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 856
    3⤵
    - Program crash
    PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 952
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 968
    3⤵
    - Program crash
    PID:3860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 980
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1216
    3⤵
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1240
    3⤵
    - Program crash
    PID:3348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1316
    3⤵
    - Program crash
    PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 704
      4⤵
      Program crash
      PID:3404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 788
      4⤵
      Program crash
      PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 832
      4⤵
      Program crash
      PID:1712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1052
      4⤵
      Program crash
      PID:2868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1072
      4⤵
      Program crash
      PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1052
      4⤵
      Program crash
      PID:4236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1108
      4⤵
      Program crash
      PID:4884
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 992
      4⤵
      Program crash
      PID:4072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1252
      4⤵
      Program crash
      PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1644
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1340
      4⤵
      Program crash
      PID:1104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1296
      4⤵
      Program crash
      PID:1688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1292
      4⤵
      Program crash
      PID:2924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 692
      4⤵
      Program crash
      PID:2780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1132
      4⤵
      Program crash
      PID:3580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1608
      4⤵
      Program crash
      PID:4160
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1132
      4⤵
      Program crash
      PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1628
      4⤵
      Program crash
      PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 768
    3⤵
    - Program crash
    PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4504 -ip 4504
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 224 -ip 224
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4432 -ip 4432
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4432 -ip 4432
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4432 -ip 4432
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4432 -ip 4432
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4432 -ip 4432
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4432 -ip 4432
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4432 -ip 4432
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4432 -ip 4432
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4432 -ip 4432
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4432 -ip 4432
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3252 -ip 3252
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3252 -ip 3252
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3252 -ip 3252
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3252 -ip 3252
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3252 -ip 3252
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3252 -ip 3252
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3252 -ip 3252
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3252 -ip 3252
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3252 -ip 3252
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3252 -ip 3252
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3252 -ip 3252
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3252 -ip 3252
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3252 -ip 3252
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 428
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4648 -ip 4648
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3252 -ip 3252
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3252 -ip 3252
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3252 -ip 3252
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 356
  2⤵
  - Program crash
  PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2164 -ip 2164
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3252 -ip 3252
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si001523.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si001523.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965022.exe

Filesize
704KB

MD5
d3ea805ea52c0b887b13027c3b856aa0

SHA1
47bdf0f1a523173e7f2570078a0d836c3da130e7

SHA256
e3f8d0774404d9aeebd821ead650a2f54a633914399272dc72f1bf31fdeb1b02

SHA512
ac73859db20278a5ac7eef2d0ab436c3cb11b15caeecafaac330db2951ea05ee010fae797a3021e28342a77d0e480894d2b353f6604228cdf5e35a1135b51f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un965022.exe

Filesize
704KB

MD5
d3ea805ea52c0b887b13027c3b856aa0

SHA1
47bdf0f1a523173e7f2570078a0d836c3da130e7

SHA256
e3f8d0774404d9aeebd821ead650a2f54a633914399272dc72f1bf31fdeb1b02

SHA512
ac73859db20278a5ac7eef2d0ab436c3cb11b15caeecafaac330db2951ea05ee010fae797a3021e28342a77d0e480894d2b353f6604228cdf5e35a1135b51f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk588434.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk588434.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un006519.exe

Filesize
550KB

MD5
edf7a32cf5898c762a8e46de74dcf21e

SHA1
de3729cc661adb0245db78d8cbcea37368658ac3

SHA256
7b378bf360aab819f1529ab003eab8a9c62005f1cc745dd2333117145550e866

SHA512
68dbeeaced52afd59e0ade2027cc0101426114bbbe15ad90a96824c6e6624aa96aaf54914bfddc6538782fc286ccca7c08ac35d44ed96ae81e73155a0afabcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un006519.exe

Filesize
550KB

MD5
edf7a32cf5898c762a8e46de74dcf21e

SHA1
de3729cc661adb0245db78d8cbcea37368658ac3

SHA256
7b378bf360aab819f1529ab003eab8a9c62005f1cc745dd2333117145550e866

SHA512
68dbeeaced52afd59e0ade2027cc0101426114bbbe15ad90a96824c6e6624aa96aaf54914bfddc6538782fc286ccca7c08ac35d44ed96ae81e73155a0afabcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr796207.exe

Filesize
277KB

MD5
98ecdf7ee835b73731dd2ade4b56638d

SHA1
9c38202f290828f58f65c5bed0a78123e8bbd5a7

SHA256
2ed5cbc6243557d93a941c2cc5582d1df978ebf4d4446cf1ee675b4937d12855

SHA512
dc105769277176c67e988393208f53ae138cb90f114a95f6e940c3f28eb73ca192681f09581605dff44a338d880d16f73ab7d09c9a93073fa882ee2e63c411dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr796207.exe

Filesize
277KB

MD5
98ecdf7ee835b73731dd2ade4b56638d

SHA1
9c38202f290828f58f65c5bed0a78123e8bbd5a7

SHA256
2ed5cbc6243557d93a941c2cc5582d1df978ebf4d4446cf1ee675b4937d12855

SHA512
dc105769277176c67e988393208f53ae138cb90f114a95f6e940c3f28eb73ca192681f09581605dff44a338d880d16f73ab7d09c9a93073fa882ee2e63c411dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu570855.exe

Filesize
360KB

MD5
2d4e46682783b84555827aa71a16bdae

SHA1
0e354573f3c81ba4f07a82b30c079b0256062b69

SHA256
4122fb4046417a0341705f2ab9ac5158295609e734c81d82af38232c59109a76

SHA512
cf60bcca8d86619be524f5b4c4405f0b51641c38777d81a95bff69f283e88fd8cfea17beb217a80bb0ebbd7cc7c25b50bd7da62835890d1b37c5eb112c26b3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu570855.exe

Filesize
360KB

MD5
2d4e46682783b84555827aa71a16bdae

SHA1
0e354573f3c81ba4f07a82b30c079b0256062b69

SHA256
4122fb4046417a0341705f2ab9ac5158295609e734c81d82af38232c59109a76

SHA512
cf60bcca8d86619be524f5b4c4405f0b51641c38777d81a95bff69f283e88fd8cfea17beb217a80bb0ebbd7cc7c25b50bd7da62835890d1b37c5eb112c26b3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
2a21910b32fd3a517a0fdb12aa140dc3

SHA1
41fb060fb3c69ed9d6ce9aa7d2d40b2b7f91aabc

SHA256
69f0a6a4e1885fd55b576bdf2a0cd7457f674ee220138d943ed92b13fdbe3d6a

SHA512
b511d8a6497fc3337d49a4950cbada7645b9d72132d2eac34f0656d4aa920ab88a76ecd4c9f7e425a2977aaaf311f42fd34bcb8f957c2fca9872fc768ce79594

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/224-996-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/224-231-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-1001-0x000000000B380000-0x000000000B8AC000-memory.dmp

Filesize
5.2MB

Download
memory/224-1000-0x000000000B1A0000-0x000000000B362000-memory.dmp

Filesize
1.8MB

Download
memory/224-999-0x000000000B0E0000-0x000000000B0FE000-memory.dmp

Filesize
120KB

Download
memory/224-998-0x000000000AF30000-0x000000000AFA6000-memory.dmp

Filesize
472KB

Download
memory/224-997-0x000000000AED0000-0x000000000AF20000-memory.dmp

Filesize
320KB

Download
memory/224-995-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/224-195-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-194-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-197-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-199-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-201-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-203-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-205-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-207-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-209-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-211-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-213-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-215-0x00000000046C0000-0x0000000004706000-memory.dmp

Filesize
280KB

Download
memory/224-217-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/224-216-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-220-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-219-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/224-221-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/224-223-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-225-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-227-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-229-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/224-994-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/224-990-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/224-991-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/224-992-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/224-993-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/1704-1009-0x0000000000640000-0x0000000000668000-memory.dmp

Filesize
160KB

Download
memory/1704-1010-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/4432-1016-0x0000000002CF0000-0x0000000002D25000-memory.dmp

Filesize
212KB

Download
memory/4504-170-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-178-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-187-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4504-186-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-184-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-174-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-172-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-180-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-176-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-182-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-168-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-189-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4504-166-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-164-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-162-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-160-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-159-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4504-158-0x0000000007470000-0x0000000007A14000-memory.dmp

Filesize
5.6MB

Download
memory/4504-157-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/4504-156-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/4504-155-0x0000000002C20000-0x0000000002C4D000-memory.dmp

Filesize
180KB

Download