dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe
Size

1.1MB
MD5

cedb6f9a3bee7bd25e341b72b404d597
SHA1

c2bcf640ae993d3d3d6a552960f2a1b83a78f20c
SHA256

dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59
SHA512

f1b6f9e9adece28482ef82f681bb4531146b895e388d187a538d36be8cd7f9022aa7865513341e2fbd97804b76240f00e978c45018bbdce4265e93b73fd2b0ef
SSDEEP

24576:ayH32lwD806Do/FXaI1EsY78o8P8aMnQehmISwfhgm5Y:hH3nDj6DoNXPEHb8P8nQMJf6

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr708101.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	si498748.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
628	un972564.exe
1312	un807402.exe
4360	pr708101.exe
4528	qu412274.exe
3328	rk005254.exe
1572	si498748.exe
4480	oneetx.exe
1428	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr708101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr708101.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un807402.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un972564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un972564.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un807402.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4384	4360	WerFault.exe	86
4044	4528	WerFault.exe	92
3840	1572	WerFault.exe	96
1268	1572	WerFault.exe	96
2920	1572	WerFault.exe	96
784	1572	WerFault.exe	96
2428	1572	WerFault.exe	96
3280	1572	WerFault.exe	96
4240	1572	WerFault.exe	96
212	1572	WerFault.exe	96
3688	1572	WerFault.exe	96
4680	1572	WerFault.exe	96
408	4480	WerFault.exe	116
4552	4480	WerFault.exe	116
4724	4480	WerFault.exe	116
3088	4480	WerFault.exe	116
4392	4480	WerFault.exe	116
4452	4480	WerFault.exe	116
4600	4480	WerFault.exe	116
2316	4480	WerFault.exe	116
3452	4480	WerFault.exe	116
4004	4480	WerFault.exe	116
3584	4480	WerFault.exe	116
4276	4480	WerFault.exe	116
5036	4480	WerFault.exe	116
1844	4480	WerFault.exe	116
8	4480	WerFault.exe	116
4560	4480	WerFault.exe	116
4232	1428	WerFault.exe	166
1576	4480	WerFault.exe	116

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4360	pr708101.exe
4360	pr708101.exe
4528	qu412274.exe
4528	qu412274.exe
3328	rk005254.exe
3328	rk005254.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	pr708101.exe
Token: SeDebugPrivilege	4528	qu412274.exe
Token: SeDebugPrivilege	3328	rk005254.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	si498748.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 628	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	84
PID 3456 wrote to memory of 628	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	84
PID 3456 wrote to memory of 628	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	84
PID 628 wrote to memory of 1312	628	un972564.exe	85
PID 628 wrote to memory of 1312	628	un972564.exe	85
PID 628 wrote to memory of 1312	628	un972564.exe	85
PID 1312 wrote to memory of 4360	1312	un807402.exe	86
PID 1312 wrote to memory of 4360	1312	un807402.exe	86
PID 1312 wrote to memory of 4360	1312	un807402.exe	86
PID 1312 wrote to memory of 4528	1312	un807402.exe	92
PID 1312 wrote to memory of 4528	1312	un807402.exe	92
PID 1312 wrote to memory of 4528	1312	un807402.exe	92
PID 628 wrote to memory of 3328	628	un972564.exe	95
PID 628 wrote to memory of 3328	628	un972564.exe	95
PID 628 wrote to memory of 3328	628	un972564.exe	95
PID 3456 wrote to memory of 1572	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	96
PID 3456 wrote to memory of 1572	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	96
PID 3456 wrote to memory of 1572	3456	dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe	96
PID 1572 wrote to memory of 4480	1572	si498748.exe	116
PID 1572 wrote to memory of 4480	1572	si498748.exe	116
PID 1572 wrote to memory of 4480	1572	si498748.exe	116
PID 4480 wrote to memory of 1096	4480	oneetx.exe	134
PID 4480 wrote to memory of 1096	4480	oneetx.exe	134
PID 4480 wrote to memory of 1096	4480	oneetx.exe	134
PID 4480 wrote to memory of 4852	4480	oneetx.exe	140
PID 4480 wrote to memory of 4852	4480	oneetx.exe	140
PID 4480 wrote to memory of 4852	4480	oneetx.exe	140
PID 4852 wrote to memory of 4044	4852	cmd.exe	143
PID 4852 wrote to memory of 4044	4852	cmd.exe	143
PID 4852 wrote to memory of 4044	4852	cmd.exe	143
PID 4852 wrote to memory of 5076	4852	cmd.exe	144
PID 4852 wrote to memory of 5076	4852	cmd.exe	144
PID 4852 wrote to memory of 5076	4852	cmd.exe	144
PID 4852 wrote to memory of 4804	4852	cmd.exe	146
PID 4852 wrote to memory of 4804	4852	cmd.exe	146
PID 4852 wrote to memory of 4804	4852	cmd.exe	146
PID 4852 wrote to memory of 4028	4852	cmd.exe	147
PID 4852 wrote to memory of 4028	4852	cmd.exe	147
PID 4852 wrote to memory of 4028	4852	cmd.exe	147
PID 4852 wrote to memory of 4936	4852	cmd.exe	148
PID 4852 wrote to memory of 4936	4852	cmd.exe	148
PID 4852 wrote to memory of 4936	4852	cmd.exe	148
PID 4852 wrote to memory of 4820	4852	cmd.exe	149
PID 4852 wrote to memory of 4820	4852	cmd.exe	149
PID 4852 wrote to memory of 4820	4852	cmd.exe	149
PID 4480 wrote to memory of 1228	4480	oneetx.exe	163
PID 4480 wrote to memory of 1228	4480	oneetx.exe	163
PID 4480 wrote to memory of 1228	4480	oneetx.exe	163

C:\Users\Admin\AppData\Local\Temp\dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe
"C:\Users\Admin\AppData\Local\Temp\dfcbbbebeada183c1703064f4362f0312cd613c286d0de9b15c10e21da6f2f59.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un972564.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un972564.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un807402.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un807402.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr708101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr708101.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1084
        5⤵
        Program crash
        
        PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu412274.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu412274.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1988
        5⤵
        Program crash
        
        PID:4044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005254.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005254.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498748.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498748.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 696
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 772
    3⤵
    - Program crash
    PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 856
    3⤵
    - Program crash
    PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 952
    3⤵
    - Program crash
    PID:784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 992
    3⤵
    - Program crash
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 992
    3⤵
    - Program crash
    PID:3280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1216
    3⤵
    - Program crash
    PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1204
    3⤵
    - Program crash
    PID:212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1320
    3⤵
    - Program crash
    PID:3688
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 692
      4⤵
      Program crash
      PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 848
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 916
      4⤵
      Program crash
      PID:4724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1052
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1072
      4⤵
      Program crash
      PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1052
      4⤵
      Program crash
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1108
      4⤵
      Program crash
      PID:4600
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1012
      4⤵
      Program crash
      PID:2316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 728
      4⤵
      Program crash
      PID:3452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1084
      4⤵
      Program crash
      PID:4004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 848
      4⤵
      Program crash
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 728
      4⤵
      Program crash
      PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1264
      4⤵
      Program crash
      PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1140
      4⤵
      Program crash
      PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1616
      4⤵
      Program crash
      PID:8
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1140
      4⤵
      Program crash
      PID:4560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1640
      4⤵
      Program crash
      PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1336
    3⤵
    - Program crash
    PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4360 -ip 4360
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4528 -ip 4528
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1572 -ip 1572
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1572 -ip 1572
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1572 -ip 1572
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1572 -ip 1572
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1572 -ip 1572
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1572 -ip 1572
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1572 -ip 1572
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1572 -ip 1572
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1572 -ip 1572
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1572 -ip 1572
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4480 -ip 4480
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4480 -ip 4480
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4480 -ip 4480
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4480 -ip 4480
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4480 -ip 4480
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4480 -ip 4480
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4480 -ip 4480
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4480 -ip 4480
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4480 -ip 4480
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4480 -ip 4480
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4480 -ip 4480
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4480 -ip 4480
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4480 -ip 4480
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4480 -ip 4480
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4480 -ip 4480
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4480 -ip 4480
1⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 312
  2⤵
  - Program crash
  PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1428 -ip 1428
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4480 -ip 4480
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498748.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498748.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un972564.exe

Filesize
763KB

MD5
8ffa7ad42216b6972decde88ed5c726f

SHA1
16b6b23a5bd2400ac80b94d78de9ed27bfc7d900

SHA256
bf69e1beb4c877f2b945d6713aaa18120c3fff94a0687b5ec386044024c359d5

SHA512
7a28e49cfc0ac698fc0c32c03fca38705ef6a5115e619fb56163bbb6756cb16298ac09e0eee199aea9804007d04d99002fc0700458efa747377579d740261f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un972564.exe

Filesize
763KB

MD5
8ffa7ad42216b6972decde88ed5c726f

SHA1
16b6b23a5bd2400ac80b94d78de9ed27bfc7d900

SHA256
bf69e1beb4c877f2b945d6713aaa18120c3fff94a0687b5ec386044024c359d5

SHA512
7a28e49cfc0ac698fc0c32c03fca38705ef6a5115e619fb56163bbb6756cb16298ac09e0eee199aea9804007d04d99002fc0700458efa747377579d740261f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005254.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005254.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un807402.exe

Filesize
609KB

MD5
6df1134beaecad58636273cf97927682

SHA1
eeccac3a63058e6aa39bd3baf56d55904329ffe2

SHA256
4253f9debc5df0e02defdd5f8adb2f2574fa038a111c99f0b6a32c4f7f77e5ec

SHA512
981e76bc194b63a49a6918b70912fa14731bab23df888cbe2eb42aa618882f16fb7c08298f15eb4ba898a1c4ad7a30a89d7311bcfd8796f9ad5560a167ace39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un807402.exe

Filesize
609KB

MD5
6df1134beaecad58636273cf97927682

SHA1
eeccac3a63058e6aa39bd3baf56d55904329ffe2

SHA256
4253f9debc5df0e02defdd5f8adb2f2574fa038a111c99f0b6a32c4f7f77e5ec

SHA512
981e76bc194b63a49a6918b70912fa14731bab23df888cbe2eb42aa618882f16fb7c08298f15eb4ba898a1c4ad7a30a89d7311bcfd8796f9ad5560a167ace39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr708101.exe

Filesize
405KB

MD5
9ffd677d889b2e5060b710c1ec615710

SHA1
c951b4a836a0ddf57b39cbe6201fe5bf13f54c9f

SHA256
e98f621bae86c0088d4e5dd88c5bac59263e643bf1800ab1fbcbedf2056a2113

SHA512
bc05175b5b1ef23c36777cebe1fff3cea429af046ed27675c263708cf7f6d07508fab7fdecdae99978247b5da9c982ee5a734db2b9164b51e36f503b494bb83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr708101.exe

Filesize
405KB

MD5
9ffd677d889b2e5060b710c1ec615710

SHA1
c951b4a836a0ddf57b39cbe6201fe5bf13f54c9f

SHA256
e98f621bae86c0088d4e5dd88c5bac59263e643bf1800ab1fbcbedf2056a2113

SHA512
bc05175b5b1ef23c36777cebe1fff3cea429af046ed27675c263708cf7f6d07508fab7fdecdae99978247b5da9c982ee5a734db2b9164b51e36f503b494bb83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu412274.exe

Filesize
488KB

MD5
c5dc9f65b07b6ff3fc0e63310df86400

SHA1
3d472ed9112c71746a0431ee4a5ba287a31635af

SHA256
ec9044c93835e8d923aba5d26a6921f05888fb4763dea21774cbcbc31870a663

SHA512
d3fe36ce7e29bdb2f730fc757cc9e974017a1dbd786ad9a62ced27ef1eb6937082b8e9097eac88606480b80e3405ea89e8b0aae869a0120fd93952bb053c2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu412274.exe

Filesize
488KB

MD5
c5dc9f65b07b6ff3fc0e63310df86400

SHA1
3d472ed9112c71746a0431ee4a5ba287a31635af

SHA256
ec9044c93835e8d923aba5d26a6921f05888fb4763dea21774cbcbc31870a663

SHA512
d3fe36ce7e29bdb2f730fc757cc9e974017a1dbd786ad9a62ced27ef1eb6937082b8e9097eac88606480b80e3405ea89e8b0aae869a0120fd93952bb053c2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
fe5a3f5600e41f2581f54fbfc70fd4e0

SHA1
3da396b976cf78a52129330387178f7407f53a67

SHA256
82cef8a2dbf0bf05aae95532ce4c0e2ae2b19874893bf3d6c67c4173de310cb0

SHA512
2ebb6caa951722b0c63355ba0f0bbda77a878ffa611334c134b343d013ae037fd4a0247726bb486f00b3ca9c9b6d43e61a109670c688e5581a3b17a703f09055

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1572-1018-0x0000000002460000-0x0000000002495000-memory.dmp

Filesize
212KB

Download
memory/3328-1012-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/3328-1011-0x0000000000D60000-0x0000000000D88000-memory.dmp

Filesize
160KB

Download
memory/4360-156-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/4360-173-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-177-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-179-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-181-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-183-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-185-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-187-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4360-189-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-190-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-191-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-193-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4360-175-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-171-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-167-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-169-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-165-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-163-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-161-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-157-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-158-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-159-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4360-160-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/4360-155-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/4528-204-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-218-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-222-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-224-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-226-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-230-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-228-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-232-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-234-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-611-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/4528-994-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/4528-995-0x00000000029D0000-0x00000000029E2000-memory.dmp

Filesize
72KB

Download
memory/4528-996-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/4528-998-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/4528-997-0x00000000080C0000-0x00000000080FC000-memory.dmp

Filesize
240KB

Download
memory/4528-999-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4528-1000-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/4528-1001-0x0000000008C30000-0x0000000008C80000-memory.dmp

Filesize
320KB

Download
memory/4528-1002-0x0000000008C90000-0x0000000008D06000-memory.dmp

Filesize
472KB

Download
memory/4528-220-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-216-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-214-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-212-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-208-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-210-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-201-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-206-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-202-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4528-200-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/4528-199-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/4528-198-0x0000000002350000-0x0000000002396000-memory.dmp

Filesize
280KB

Download
memory/4528-1003-0x0000000008D40000-0x0000000008D5E000-memory.dmp

Filesize
120KB

Download
memory/4528-1004-0x0000000008F60000-0x0000000009122000-memory.dmp

Filesize
1.8MB

Download
memory/4528-1005-0x0000000009330000-0x000000000985C000-memory.dmp

Filesize
5.2MB

Download