Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2023 05:42
Static task
static1
General
-
Target
de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe
-
Size
1.1MB
-
MD5
8971aa8d72ab55a5c815bfbdd4a1e860
-
SHA1
b83e0e5a680c2f5c8ffcf81bcf99cc5cc34576df
-
SHA256
de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e
-
SHA512
9cfbb60bb711cd7c802843f416b6ced9dfda11eee7c016dd4b3467b45ea530f57cf263f5e33612b1413103c5dbc082d54fff42be03f0332608adbb07e1a5652a
-
SSDEEP
24576:7yPECO8MzGJ3uhw/YeZQwMwCPp/PU/f5MPbwO3r+ED0:usuMCJehwAeZQGCtUXg0O3r+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr081399.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr081399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr081399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr081399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr081399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr081399.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation si781074.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 1916 un942248.exe 1436 un950652.exe 3320 pr081399.exe 2224 qu832324.exe 4680 rk571539.exe 4496 si781074.exe 1244 oneetx.exe 4844 oneetx.exe 1028 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 3532 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr081399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr081399.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un942248.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un942248.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un950652.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un950652.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
pid pid_target Process procid_target 2720 3320 WerFault.exe 84 4992 2224 WerFault.exe 90 4332 4496 WerFault.exe 94 3844 4496 WerFault.exe 94 4916 4496 WerFault.exe 94 3760 4496 WerFault.exe 94 1376 4496 WerFault.exe 94 1120 4496 WerFault.exe 94 4800 4496 WerFault.exe 94 2704 4496 WerFault.exe 94 2284 4496 WerFault.exe 94 1564 4496 WerFault.exe 94 4532 1244 WerFault.exe 114 2536 1244 WerFault.exe 114 3920 1244 WerFault.exe 114 1000 1244 WerFault.exe 114 5028 1244 WerFault.exe 114 4376 1244 WerFault.exe 114 5100 1244 WerFault.exe 114 4124 1244 WerFault.exe 114 3588 1244 WerFault.exe 114 5060 1244 WerFault.exe 114 5012 1244 WerFault.exe 114 4680 1244 WerFault.exe 114 5044 1244 WerFault.exe 114 2668 1244 WerFault.exe 114 2336 4844 WerFault.exe 159 4664 1244 WerFault.exe 114 1300 1244 WerFault.exe 114 4648 1244 WerFault.exe 114 320 1028 WerFault.exe 170 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3320 pr081399.exe 3320 pr081399.exe 2224 qu832324.exe 2224 qu832324.exe 4680 rk571539.exe 4680 rk571539.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3320 pr081399.exe Token: SeDebugPrivilege 2224 qu832324.exe Token: SeDebugPrivilege 4680 rk571539.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4496 si781074.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1916 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 82 PID 1832 wrote to memory of 1916 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 82 PID 1832 wrote to memory of 1916 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 82 PID 1916 wrote to memory of 1436 1916 un942248.exe 83 PID 1916 wrote to memory of 1436 1916 un942248.exe 83 PID 1916 wrote to memory of 1436 1916 un942248.exe 83 PID 1436 wrote to memory of 3320 1436 un950652.exe 84 PID 1436 wrote to memory of 3320 1436 un950652.exe 84 PID 1436 wrote to memory of 3320 1436 un950652.exe 84 PID 1436 wrote to memory of 2224 1436 un950652.exe 90 PID 1436 wrote to memory of 2224 1436 un950652.exe 90 PID 1436 wrote to memory of 2224 1436 un950652.exe 90 PID 1916 wrote to memory of 4680 1916 un942248.exe 93 PID 1916 wrote to memory of 4680 1916 un942248.exe 93 PID 1916 wrote to memory of 4680 1916 un942248.exe 93 PID 1832 wrote to memory of 4496 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 94 PID 1832 wrote to memory of 4496 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 94 PID 1832 wrote to memory of 4496 1832 de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe 94 PID 4496 wrote to memory of 1244 4496 si781074.exe 114 PID 4496 wrote to memory of 1244 4496 si781074.exe 114 PID 4496 wrote to memory of 1244 4496 si781074.exe 114 PID 1244 wrote to memory of 4540 1244 oneetx.exe 134 PID 1244 wrote to memory of 4540 1244 oneetx.exe 134 PID 1244 wrote to memory of 4540 1244 oneetx.exe 134 PID 1244 wrote to memory of 4860 1244 oneetx.exe 140 PID 1244 wrote to memory of 4860 1244 oneetx.exe 140 PID 1244 wrote to memory of 4860 1244 oneetx.exe 140 PID 4860 wrote to memory of 3944 4860 cmd.exe 144 PID 4860 wrote to memory of 3944 4860 cmd.exe 144 PID 4860 wrote to memory of 3944 4860 cmd.exe 144 PID 4860 wrote to memory of 3732 4860 cmd.exe 145 PID 4860 wrote to memory of 3732 4860 cmd.exe 145 PID 4860 wrote to memory of 3732 4860 cmd.exe 145 PID 4860 wrote to memory of 2464 4860 cmd.exe 146 PID 4860 wrote to memory of 2464 4860 cmd.exe 146 PID 4860 wrote to memory of 2464 4860 cmd.exe 146 PID 4860 wrote to memory of 1484 4860 cmd.exe 148 PID 4860 wrote to memory of 1484 4860 cmd.exe 148 PID 4860 wrote to memory of 1484 4860 cmd.exe 148 PID 4860 wrote to memory of 4136 4860 cmd.exe 147 PID 4860 wrote to memory of 4136 4860 cmd.exe 147 PID 4860 wrote to memory of 4136 4860 cmd.exe 147 PID 4860 wrote to memory of 1236 4860 cmd.exe 149 PID 4860 wrote to memory of 1236 4860 cmd.exe 149 PID 4860 wrote to memory of 1236 4860 cmd.exe 149 PID 1244 wrote to memory of 3532 1244 oneetx.exe 164 PID 1244 wrote to memory of 3532 1244 oneetx.exe 164 PID 1244 wrote to memory of 3532 1244 oneetx.exe 164
Processes
-
C:\Users\Admin\AppData\Local\Temp\de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe"C:\Users\Admin\AppData\Local\Temp\de4f844df17c1b08afc9e18751edeb047962225d90bfffe2a1c5ea772fbfa94e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un942248.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un942248.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un950652.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un950652.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr081399.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr081399.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 10845⤵
- Program crash
PID:2720
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu832324.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu832324.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 13245⤵
- Program crash
PID:4992
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk571539.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk571539.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si781074.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si781074.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 6963⤵
- Program crash
PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 7523⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 8563⤵
- Program crash
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 9603⤵
- Program crash
PID:3760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 9803⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 9803⤵
- Program crash
PID:1120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 12163⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 12323⤵
- Program crash
PID:2704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 13123⤵
- Program crash
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 6924⤵
- Program crash
PID:4532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 8484⤵
- Program crash
PID:2536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 8884⤵
- Program crash
PID:3920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 10524⤵
- Program crash
PID:1000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 10724⤵
- Program crash
PID:5028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 10884⤵
- Program crash
PID:4376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 10924⤵
- Program crash
PID:5100
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 9924⤵
- Program crash
PID:4124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 7524⤵
- Program crash
PID:3588
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3944
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:3732
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2464
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"5⤵PID:4136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1484
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E5⤵PID:1236
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 7644⤵
- Program crash
PID:5060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 8524⤵
- Program crash
PID:5012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 7284⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 12764⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 11364⤵
- Program crash
PID:2668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 16124⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 11364⤵
- Program crash
PID:1300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 16364⤵
- Program crash
PID:4648
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 7603⤵
- Program crash
PID:1564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3320 -ip 33201⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2224 -ip 22241⤵PID:4316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4496 -ip 44961⤵PID:4084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4496 -ip 44961⤵PID:4976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4496 -ip 44961⤵PID:4728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4496 -ip 44961⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4496 -ip 44961⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4496 -ip 44961⤵PID:2324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4496 -ip 44961⤵PID:4664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4496 -ip 44961⤵PID:4752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4496 -ip 44961⤵PID:1404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4496 -ip 44961⤵PID:464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1244 -ip 12441⤵PID:692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1244 -ip 12441⤵PID:2516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1244 -ip 12441⤵PID:2212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 12441⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1244 -ip 12441⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1244 -ip 12441⤵PID:3192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1244 -ip 12441⤵PID:340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 12441⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1244 -ip 12441⤵PID:2216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 12441⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1244 -ip 12441⤵PID:4700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 12441⤵PID:2204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1244 -ip 12441⤵PID:1320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1244 -ip 12441⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 3162⤵
- Program crash
PID:2336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4844 -ip 48441⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1244 -ip 12441⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1244 -ip 12441⤵PID:844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1244 -ip 12441⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 3122⤵
- Program crash
PID:320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1028 -ip 10281⤵PID:4716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
762KB
MD5e08455c318eb429ef0c972e90d172bfa
SHA149ca4ed61040a54fa9821de9b7598dc04d7484c1
SHA256522d4e5dca62644bfc4ee4d9cb4f3cbde76334b54822bfd25c2dc5ce3dda3521
SHA512fcad6c0997d903a6e7ed2b5cdb45419ef4d8f6359716c72e72ee262450b82eb38466173c1408221c84b75f537e86649744b5c8bdf085e9ac49d38c4271f83b17
-
Filesize
762KB
MD5e08455c318eb429ef0c972e90d172bfa
SHA149ca4ed61040a54fa9821de9b7598dc04d7484c1
SHA256522d4e5dca62644bfc4ee4d9cb4f3cbde76334b54822bfd25c2dc5ce3dda3521
SHA512fcad6c0997d903a6e7ed2b5cdb45419ef4d8f6359716c72e72ee262450b82eb38466173c1408221c84b75f537e86649744b5c8bdf085e9ac49d38c4271f83b17
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
608KB
MD55306b8baebe7da9eaaf47f36cba850a4
SHA1108e9d48117570ccf1557a369690bf1d5c209e91
SHA256d501de5c86f27306ffa88e11ab8add416bcb4157b77930a7951131e6e80d83e6
SHA512938f920a75943ae0b4d2ddc4ecabefa96cd42a82a2ffd0c24e367f0c7675e72ffeb4a304163bb505a597f5c8b7788f84c47aa18b51875debded5294c764c5f85
-
Filesize
608KB
MD55306b8baebe7da9eaaf47f36cba850a4
SHA1108e9d48117570ccf1557a369690bf1d5c209e91
SHA256d501de5c86f27306ffa88e11ab8add416bcb4157b77930a7951131e6e80d83e6
SHA512938f920a75943ae0b4d2ddc4ecabefa96cd42a82a2ffd0c24e367f0c7675e72ffeb4a304163bb505a597f5c8b7788f84c47aa18b51875debded5294c764c5f85
-
Filesize
403KB
MD5d8282c6e60f6415de6367c9a189db1f0
SHA1bfb99b0df90030183879db61ff806a9b60054f5c
SHA25692fd42db3134f8ea7ea667446891e081bd69dca6c509da480882a46892a927a8
SHA512eda79629ba1173a58d2fea0dbcd7d17b3c197f2a4f1f9d6d1d0de5a200ab777997a0542ba8ad16fea7ab794f455b8f31aa0211d201d337ab62dbae5c1a27dcb6
-
Filesize
403KB
MD5d8282c6e60f6415de6367c9a189db1f0
SHA1bfb99b0df90030183879db61ff806a9b60054f5c
SHA25692fd42db3134f8ea7ea667446891e081bd69dca6c509da480882a46892a927a8
SHA512eda79629ba1173a58d2fea0dbcd7d17b3c197f2a4f1f9d6d1d0de5a200ab777997a0542ba8ad16fea7ab794f455b8f31aa0211d201d337ab62dbae5c1a27dcb6
-
Filesize
485KB
MD5124e28c951cf86131eed08a048879a09
SHA1e3996f57aef8c98fdc7db89dfbfc7a6c7ca62ee2
SHA25673d61c13fe83d76d96a1455d3793a91caf172460e66d1a4117fef816f36e20da
SHA512a473a2d9ab82769642765a77f20096e36495b82375e8b9c4a8b408e14f71b162b7d91a280868c04c4ba0f458577ea3f4965197aed2fe3eed8ac9ef2644f0e3ee
-
Filesize
485KB
MD5124e28c951cf86131eed08a048879a09
SHA1e3996f57aef8c98fdc7db89dfbfc7a6c7ca62ee2
SHA25673d61c13fe83d76d96a1455d3793a91caf172460e66d1a4117fef816f36e20da
SHA512a473a2d9ab82769642765a77f20096e36495b82375e8b9c4a8b408e14f71b162b7d91a280868c04c4ba0f458577ea3f4965197aed2fe3eed8ac9ef2644f0e3ee
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
381KB
MD5cf308c6f25e9928e296b67f16dd407dd
SHA1c5de335a748aa64c526e5abb7631fb7a61fc5d2a
SHA256dbc4b458be98d4c9fc944f8d6ae0452c2f7e48732c256cfc67ef0e0b01a8d9ac
SHA512ab7ec055b3c8984a49874db0f26710e636b3b11c3fdc21bb4483bd16ac869231a1b5fc1510d94ed6fddd631bc1031e8e8bf20aab0bc6dfc6c96a4f227701fb95
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
89KB
MD5f577e9f9bb3716a1405af573fbf2afb4
SHA17e2a18c86e4912f9218fbe7c8cf64e04afb90f6e
SHA2564b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb
SHA512fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5