Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2023 03:12
Static task
static1
General
-
Target
a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe
-
Size
828KB
-
MD5
0672e7eb8902612101b5b4ab4dd19928
-
SHA1
484e0ccb99e316b05287025b17c2b56b93e61a1f
-
SHA256
a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619
-
SHA512
b580a437835a2dd8838f0ed90394abf7e30b9916d7dda53a75d16833511d40af19c75dfbf847b7f8c65b2dae5088ecd93c7a7f24aba8fce3e2f11f76acb26ffd
-
SSDEEP
24576:hyDE5163Owlxqq0nxh/L162NCDIFb3lG9JNZIekiO:UIr63OK8nx516dI3K9r9
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it182073.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it182073.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it182073.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it182073.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it182073.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it182073.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation lr204301.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 8 IoCs
pid Process 644 ziCO7613.exe 1524 ziOs5117.exe 3400 it182073.exe 4860 jr293524.exe 4308 kp843104.exe 1600 lr204301.exe 4576 oneetx.exe 3704 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4900 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it182073.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziCO7613.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziCO7613.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziOs5117.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziOs5117.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
pid pid_target Process procid_target 2364 1600 WerFault.exe 94 3672 1600 WerFault.exe 94 4996 1600 WerFault.exe 94 4588 1600 WerFault.exe 94 3348 1600 WerFault.exe 94 1364 1600 WerFault.exe 94 1944 1600 WerFault.exe 94 1056 1600 WerFault.exe 94 4952 1600 WerFault.exe 94 220 1600 WerFault.exe 94 1420 4576 WerFault.exe 114 3924 4576 WerFault.exe 114 3696 4576 WerFault.exe 114 3472 4576 WerFault.exe 114 4168 4576 WerFault.exe 114 2616 4576 WerFault.exe 114 1048 4576 WerFault.exe 114 4016 4576 WerFault.exe 114 4444 4576 WerFault.exe 114 3564 4576 WerFault.exe 114 4404 4576 WerFault.exe 114 4456 4576 WerFault.exe 114 1932 4576 WerFault.exe 114 3712 4576 WerFault.exe 114 3592 4576 WerFault.exe 114 4264 4576 WerFault.exe 114 3464 4576 WerFault.exe 114 2468 3704 WerFault.exe 166 1740 4576 WerFault.exe 114 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3872 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3400 it182073.exe 3400 it182073.exe 4860 jr293524.exe 4860 jr293524.exe 4308 kp843104.exe 4308 kp843104.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3400 it182073.exe Token: SeDebugPrivilege 4860 jr293524.exe Token: SeDebugPrivilege 4308 kp843104.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1600 lr204301.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1052 wrote to memory of 644 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 86 PID 1052 wrote to memory of 644 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 86 PID 1052 wrote to memory of 644 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 86 PID 644 wrote to memory of 1524 644 ziCO7613.exe 87 PID 644 wrote to memory of 1524 644 ziCO7613.exe 87 PID 644 wrote to memory of 1524 644 ziCO7613.exe 87 PID 1524 wrote to memory of 3400 1524 ziOs5117.exe 88 PID 1524 wrote to memory of 3400 1524 ziOs5117.exe 88 PID 1524 wrote to memory of 4860 1524 ziOs5117.exe 92 PID 1524 wrote to memory of 4860 1524 ziOs5117.exe 92 PID 1524 wrote to memory of 4860 1524 ziOs5117.exe 92 PID 644 wrote to memory of 4308 644 ziCO7613.exe 93 PID 644 wrote to memory of 4308 644 ziCO7613.exe 93 PID 644 wrote to memory of 4308 644 ziCO7613.exe 93 PID 1052 wrote to memory of 1600 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 94 PID 1052 wrote to memory of 1600 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 94 PID 1052 wrote to memory of 1600 1052 a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe 94 PID 1600 wrote to memory of 4576 1600 lr204301.exe 114 PID 1600 wrote to memory of 4576 1600 lr204301.exe 114 PID 1600 wrote to memory of 4576 1600 lr204301.exe 114 PID 4576 wrote to memory of 3872 4576 oneetx.exe 132 PID 4576 wrote to memory of 3872 4576 oneetx.exe 132 PID 4576 wrote to memory of 3872 4576 oneetx.exe 132 PID 4576 wrote to memory of 464 4576 oneetx.exe 140 PID 4576 wrote to memory of 464 4576 oneetx.exe 140 PID 4576 wrote to memory of 464 4576 oneetx.exe 140 PID 464 wrote to memory of 4116 464 cmd.exe 142 PID 464 wrote to memory of 4116 464 cmd.exe 142 PID 464 wrote to memory of 4116 464 cmd.exe 142 PID 464 wrote to memory of 4608 464 cmd.exe 143 PID 464 wrote to memory of 4608 464 cmd.exe 143 PID 464 wrote to memory of 4608 464 cmd.exe 143 PID 464 wrote to memory of 2296 464 cmd.exe 144 PID 464 wrote to memory of 2296 464 cmd.exe 144 PID 464 wrote to memory of 2296 464 cmd.exe 144 PID 464 wrote to memory of 1700 464 cmd.exe 145 PID 464 wrote to memory of 1700 464 cmd.exe 145 PID 464 wrote to memory of 1700 464 cmd.exe 145 PID 464 wrote to memory of 1320 464 cmd.exe 146 PID 464 wrote to memory of 1320 464 cmd.exe 146 PID 464 wrote to memory of 1320 464 cmd.exe 146 PID 464 wrote to memory of 5084 464 cmd.exe 147 PID 464 wrote to memory of 5084 464 cmd.exe 147 PID 464 wrote to memory of 5084 464 cmd.exe 147 PID 4576 wrote to memory of 4900 4576 oneetx.exe 163 PID 4576 wrote to memory of 4900 4576 oneetx.exe 163 PID 4576 wrote to memory of 4900 4576 oneetx.exe 163
Processes
-
C:\Users\Admin\AppData\Local\Temp\a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe"C:\Users\Admin\AppData\Local\Temp\a60db8796568ed11f8fee42ebc3b9bfe94dd69226a72fc59ab8478d1bd01a619.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCO7613.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCO7613.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziOs5117.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziOs5117.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it182073.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it182073.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr293524.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr293524.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp843104.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp843104.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr204301.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr204301.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 6723⤵
- Program crash
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 7523⤵
- Program crash
PID:3672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 8563⤵
- Program crash
PID:4996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 9523⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 9603⤵
- Program crash
PID:3348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 8563⤵
- Program crash
PID:1364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 11923⤵
- Program crash
PID:1944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 12563⤵
- Program crash
PID:1056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 13323⤵
- Program crash
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 6924⤵
- Program crash
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 8364⤵
- Program crash
PID:3924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 9164⤵
- Program crash
PID:3696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10524⤵
- Program crash
PID:3472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10884⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10884⤵
- Program crash
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 11084⤵
- Program crash
PID:1048
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10164⤵
- Program crash
PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 7524⤵
- Program crash
PID:4444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4116
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4608
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"5⤵PID:1320
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E5⤵PID:5084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12724⤵
- Program crash
PID:3564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10124⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1324⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 7724⤵
- Program crash
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 14084⤵
- Program crash
PID:3712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 10724⤵
- Program crash
PID:3592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 16884⤵
- Program crash
PID:4264
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 16244⤵
- Program crash
PID:3464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 17164⤵
- Program crash
PID:1740
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 13923⤵
- Program crash
PID:220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1600 -ip 16001⤵PID:4456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1600 -ip 16001⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1600 -ip 16001⤵PID:3644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1600 -ip 16001⤵PID:3964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1600 -ip 16001⤵PID:1172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1600 -ip 16001⤵PID:488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1600 -ip 16001⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1600 -ip 16001⤵PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1600 -ip 16001⤵PID:2152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1600 -ip 16001⤵PID:4336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4576 -ip 45761⤵PID:4584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4576 -ip 45761⤵PID:1972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4576 -ip 45761⤵PID:3256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4576 -ip 45761⤵PID:1644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4576 -ip 45761⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4576 -ip 45761⤵PID:3380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4576 -ip 45761⤵PID:1244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4576 -ip 45761⤵PID:3968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4576 -ip 45761⤵PID:460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 45761⤵PID:4492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 45761⤵PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4576 -ip 45761⤵PID:644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4576 -ip 45761⤵PID:3352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4576 -ip 45761⤵PID:4920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 45761⤵PID:432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4576 -ip 45761⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4576 -ip 45761⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 3202⤵
- Program crash
PID:2468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3704 -ip 37041⤵PID:1696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4576 -ip 45761⤵PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
569KB
MD54e26df11ca0f1c50b4b9c4468c1a978a
SHA16822a883cf355fd3cd575dc916c1df2b6d255c08
SHA2566e76e374eab6c0c1538ab9b1c42140b2c8d4accee60c3f34042396c32920e679
SHA5125be843dfc08eca1e1f0dd87bae0450cf843e16ecdf5ac313db8bef3e1843fe0fa2028072d12e567b4505e15630a652670d97945aaa79da29b67892808a5f8cba
-
Filesize
569KB
MD54e26df11ca0f1c50b4b9c4468c1a978a
SHA16822a883cf355fd3cd575dc916c1df2b6d255c08
SHA2566e76e374eab6c0c1538ab9b1c42140b2c8d4accee60c3f34042396c32920e679
SHA5125be843dfc08eca1e1f0dd87bae0450cf843e16ecdf5ac313db8bef3e1843fe0fa2028072d12e567b4505e15630a652670d97945aaa79da29b67892808a5f8cba
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
414KB
MD5b5dacb1f4639026727e5ab2a94734ad4
SHA1c52bbebc754e9465c940fe0d6e5fcb87c9ca2497
SHA256eaf01c3ea27ad27da32129dab7a24db12cf3187c2ec33993cf8e2447eeb5412a
SHA5126e5fb778d5840d4a963cc05fb872de077b2f8c3be625d8cef9e5c1d643e45002d1fef3c5e7be845c5e6271395cabf4b0fda68c83246df13f9d593c5065ec5dd7
-
Filesize
414KB
MD5b5dacb1f4639026727e5ab2a94734ad4
SHA1c52bbebc754e9465c940fe0d6e5fcb87c9ca2497
SHA256eaf01c3ea27ad27da32129dab7a24db12cf3187c2ec33993cf8e2447eeb5412a
SHA5126e5fb778d5840d4a963cc05fb872de077b2f8c3be625d8cef9e5c1d643e45002d1fef3c5e7be845c5e6271395cabf4b0fda68c83246df13f9d593c5065ec5dd7
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD516fd072e6b98e1b4f403b4b728e2f6a0
SHA134a00c694fcd3aaa1ad3a35cbd8d4ca82407bee5
SHA2564ac06fb2fca2a6fa71a9768948063c7eeb0c382f3851ca9ec92d4cdc604e8e3b
SHA5126a3ba1063705f67d6961002852712449dbba333a56b1a70bb915c873e65802330ee438b9d4ed44b01de4fe011c3b5f071fb7539f6430fb683c3d0f219e336390
-
Filesize
360KB
MD516fd072e6b98e1b4f403b4b728e2f6a0
SHA134a00c694fcd3aaa1ad3a35cbd8d4ca82407bee5
SHA2564ac06fb2fca2a6fa71a9768948063c7eeb0c382f3851ca9ec92d4cdc604e8e3b
SHA5126a3ba1063705f67d6961002852712449dbba333a56b1a70bb915c873e65802330ee438b9d4ed44b01de4fe011c3b5f071fb7539f6430fb683c3d0f219e336390
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
256KB
MD5e117c2e2e277d26fd929b917f9d97274
SHA1335be04c3ad75601b136fb728a960af6fee44fc9
SHA25660cf443fb36ffbb40cb6efbbb2d1f69f70e1e8deaf1aec9d0a4c16e16539ebd5
SHA512b6aa3afbf9cb3d631e4ac786c53ce6c641216d11db6f81489c68accf7f4ce123c8945e043ec2ee9d0aec066b16fd373f8fe1e22a875647e3b128873f7d6497b4
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5