f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef

Analysis

max time kernel
147s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe
Size

1.0MB
MD5

c1b2b575078b95e7c8f397df4f3014b3
SHA1

f4bb8ec383b637ce667d0b45580be58ca5622e61
SHA256

f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef
SHA512

0dc79c0e5026b408168216375d963a2430e92bebc0dbccf8db2f52b0338969a4ef1883c2f0caefb9cdc682b16cb873652c77bfcd3401ce297889350a9a054a80
SSDEEP

24576:RyXVpyzyEFvpfZvUUJxnA22I9GaKKRHdoS2i0vMY9lQTsdY:EL2yEFBSUrehcdoS2LRu

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr901130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr901130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr901130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr901130.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr901130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr901130.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	si237380.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
1016	un036808.exe
1524	un843096.exe
1692	pr901130.exe
1568	qu793875.exe
4404	rk369427.exe
5024	si237380.exe
1356	oneetx.exe
1928	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4496	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr901130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr901130.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un036808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un036808.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un843096.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un843096.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
4144	1692	WerFault.exe	85
3796	1568	WerFault.exe	93
1956	5024	WerFault.exe	98
2692	5024	WerFault.exe	98
2284	5024	WerFault.exe	98
3568	5024	WerFault.exe	98
1776	5024	WerFault.exe	98
3308	5024	WerFault.exe	98
60	5024	WerFault.exe	98
1064	5024	WerFault.exe	98
5064	5024	WerFault.exe	98
4828	5024	WerFault.exe	98
1436	1356	WerFault.exe	118
1048	1356	WerFault.exe	118
3908	1356	WerFault.exe	118
2796	1356	WerFault.exe	118
3296	1356	WerFault.exe	118
2452	1356	WerFault.exe	118
3680	1356	WerFault.exe	118
2508	1356	WerFault.exe	118
3400	1356	WerFault.exe	118
1012	1356	WerFault.exe	118
4784	1356	WerFault.exe	118
376	1356	WerFault.exe	118
792	1356	WerFault.exe	118
3924	1356	WerFault.exe	118
3144	1356	WerFault.exe	118
3360	1356	WerFault.exe	118
4384	1356	WerFault.exe	118
4388	1928	WerFault.exe	164
1436	1356	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1692	pr901130.exe
1692	pr901130.exe
1568	qu793875.exe
1568	qu793875.exe
4404	rk369427.exe
4404	rk369427.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	pr901130.exe
Token: SeDebugPrivilege	1568	qu793875.exe
Token: SeDebugPrivilege	4404	rk369427.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5024	si237380.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1016	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	83
PID 4644 wrote to memory of 1016	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	83
PID 4644 wrote to memory of 1016	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	83
PID 1016 wrote to memory of 1524	1016	un036808.exe	84
PID 1016 wrote to memory of 1524	1016	un036808.exe	84
PID 1016 wrote to memory of 1524	1016	un036808.exe	84
PID 1524 wrote to memory of 1692	1524	un843096.exe	85
PID 1524 wrote to memory of 1692	1524	un843096.exe	85
PID 1524 wrote to memory of 1692	1524	un843096.exe	85
PID 1524 wrote to memory of 1568	1524	un843096.exe	93
PID 1524 wrote to memory of 1568	1524	un843096.exe	93
PID 1524 wrote to memory of 1568	1524	un843096.exe	93
PID 1016 wrote to memory of 4404	1016	un036808.exe	96
PID 1016 wrote to memory of 4404	1016	un036808.exe	96
PID 1016 wrote to memory of 4404	1016	un036808.exe	96
PID 4644 wrote to memory of 5024	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	98
PID 4644 wrote to memory of 5024	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	98
PID 4644 wrote to memory of 5024	4644	f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe	98
PID 5024 wrote to memory of 1356	5024	si237380.exe	118
PID 5024 wrote to memory of 1356	5024	si237380.exe	118
PID 5024 wrote to memory of 1356	5024	si237380.exe	118
PID 1356 wrote to memory of 1216	1356	oneetx.exe	137
PID 1356 wrote to memory of 1216	1356	oneetx.exe	137
PID 1356 wrote to memory of 1216	1356	oneetx.exe	137
PID 1356 wrote to memory of 4844	1356	oneetx.exe	144
PID 1356 wrote to memory of 4844	1356	oneetx.exe	144
PID 1356 wrote to memory of 4844	1356	oneetx.exe	144
PID 4844 wrote to memory of 2428	4844	cmd.exe	147
PID 4844 wrote to memory of 2428	4844	cmd.exe	147
PID 4844 wrote to memory of 2428	4844	cmd.exe	147
PID 4844 wrote to memory of 4428	4844	cmd.exe	149
PID 4844 wrote to memory of 4428	4844	cmd.exe	149
PID 4844 wrote to memory of 4428	4844	cmd.exe	149
PID 4844 wrote to memory of 4940	4844	cmd.exe	150
PID 4844 wrote to memory of 4940	4844	cmd.exe	150
PID 4844 wrote to memory of 4940	4844	cmd.exe	150
PID 4844 wrote to memory of 4604	4844	cmd.exe	151
PID 4844 wrote to memory of 4604	4844	cmd.exe	151
PID 4844 wrote to memory of 4604	4844	cmd.exe	151
PID 4844 wrote to memory of 4484	4844	cmd.exe	152
PID 4844 wrote to memory of 4484	4844	cmd.exe	152
PID 4844 wrote to memory of 4484	4844	cmd.exe	152
PID 4844 wrote to memory of 1220	4844	cmd.exe	153
PID 4844 wrote to memory of 1220	4844	cmd.exe	153
PID 4844 wrote to memory of 1220	4844	cmd.exe	153
PID 1356 wrote to memory of 4496	1356	oneetx.exe	167
PID 1356 wrote to memory of 4496	1356	oneetx.exe	167
PID 1356 wrote to memory of 4496	1356	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe
"C:\Users\Admin\AppData\Local\Temp\f4c68bdc6ecae826e5ffbae86a164c9255b82bc9a61c5772fdce4abef2aebfef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036808.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036808.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un843096.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un843096.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr901130.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr901130.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1080
        5⤵
        Program crash
        
        PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793875.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793875.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1328
        5⤵
        Program crash
        
        PID:3796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk369427.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk369427.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si237380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si237380.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 696
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 772
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 812
    3⤵
    - Program crash
    PID:2284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 952
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 988
    3⤵
    - Program crash
    PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 988
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1208
    3⤵
    - Program crash
    PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1232
    3⤵
    - Program crash
    PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1316
    3⤵
    - Program crash
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 692
      4⤵
      Program crash
      PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 832
      4⤵
      Program crash
      PID:1048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 912
      4⤵
      Program crash
      PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1052
      4⤵
      Program crash
      PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1096
      4⤵
      Program crash
      PID:3296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1096
      4⤵
      Program crash
      PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1068
      4⤵
      Program crash
      PID:3680
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1000
      4⤵
      Program crash
      PID:2508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1288
      4⤵
      Program crash
      PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4484
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:1220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 912
      4⤵
      Program crash
      PID:1012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 744
      4⤵
      Program crash
      PID:4784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1000
      4⤵
      Program crash
      PID:376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 768
      4⤵
      Program crash
      PID:792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1432
      4⤵
      Program crash
      PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1072
      4⤵
      Program crash
      PID:3144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1608
      4⤵
      Program crash
      PID:3360
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1592
      4⤵
      Program crash
      PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1636
      4⤵
      Program crash
      PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1340
    3⤵
    - Program crash
    PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1692 -ip 1692
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1568 -ip 1568
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5024 -ip 5024
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5024 -ip 5024
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5024 -ip 5024
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5024 -ip 5024
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5024 -ip 5024
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5024 -ip 5024
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5024 -ip 5024
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5024 -ip 5024
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5024 -ip 5024
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1356 -ip 1356
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1356 -ip 1356
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1356 -ip 1356
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1356 -ip 1356
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1356 -ip 1356
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1356 -ip 1356
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1356 -ip 1356
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1356 -ip 1356
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1356 -ip 1356
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1356 -ip 1356
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1356 -ip 1356
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1356 -ip 1356
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1356 -ip 1356
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1356 -ip 1356
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1356 -ip 1356
1⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 312
  2⤵
  - Program crash
  PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1356 -ip 1356
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1356 -ip 1356
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1928 -ip 1928
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1356 -ip 1356
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si237380.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si237380.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036808.exe

Filesize
749KB

MD5
0bc302e6c91cff52d056118c6477e32a

SHA1
cc63c7cc37c7d13b351d6743f0af5a9691733a4c

SHA256
0bc94caf2759dd813ce7061e4275320057c28b9d85961cfaf07a18d369d6d9a7

SHA512
62a96b6b942d29df19427dc838d68ac3104f8013ed0ca264dd7af9e9600759bd52f67cff53ea14fe0337024de4b398539b393e622052b7e004156cdead89c22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un036808.exe

Filesize
749KB

MD5
0bc302e6c91cff52d056118c6477e32a

SHA1
cc63c7cc37c7d13b351d6743f0af5a9691733a4c

SHA256
0bc94caf2759dd813ce7061e4275320057c28b9d85961cfaf07a18d369d6d9a7

SHA512
62a96b6b942d29df19427dc838d68ac3104f8013ed0ca264dd7af9e9600759bd52f67cff53ea14fe0337024de4b398539b393e622052b7e004156cdead89c22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk369427.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk369427.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un843096.exe

Filesize
595KB

MD5
d71aac283a04195b18d1143b7fa73db4

SHA1
f10685c5918723bf5f8c5151a72c3352e8a54491

SHA256
6c226eeac6d1c0437e2e8c2b2f79ba2a2a320f9bf83af66d907f1fede4341469

SHA512
7b410f79cf627b5f4a12981a4681d0d09bf063f23066c0938fd750d49bc78716c0f9f5a938bd847cc707f0a66e1e83bd7e355ddc131f0ae9f3f68faa10574a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un843096.exe

Filesize
595KB

MD5
d71aac283a04195b18d1143b7fa73db4

SHA1
f10685c5918723bf5f8c5151a72c3352e8a54491

SHA256
6c226eeac6d1c0437e2e8c2b2f79ba2a2a320f9bf83af66d907f1fede4341469

SHA512
7b410f79cf627b5f4a12981a4681d0d09bf063f23066c0938fd750d49bc78716c0f9f5a938bd847cc707f0a66e1e83bd7e355ddc131f0ae9f3f68faa10574a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr901130.exe

Filesize
389KB

MD5
2c6700c516ef3f4daba702d1918a06c3

SHA1
ed28d4ccdf4334a42f60f6a637b889205c8969f6

SHA256
993fda0a61dea66e78f971e08206462f4eb8d3cb3b9e98ae9b03b2fd405f8021

SHA512
ee2fe3c1d4f990077c97a2ae0d5fa9c65111dd151b3fd85e1df77527e12bd77c69ea65bc512ecea9765ab28a5d81cb104b381d827670124d24b2e6269cb97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr901130.exe

Filesize
389KB

MD5
2c6700c516ef3f4daba702d1918a06c3

SHA1
ed28d4ccdf4334a42f60f6a637b889205c8969f6

SHA256
993fda0a61dea66e78f971e08206462f4eb8d3cb3b9e98ae9b03b2fd405f8021

SHA512
ee2fe3c1d4f990077c97a2ae0d5fa9c65111dd151b3fd85e1df77527e12bd77c69ea65bc512ecea9765ab28a5d81cb104b381d827670124d24b2e6269cb97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793875.exe

Filesize
472KB

MD5
ad8acf30550326d44436c0fc05262bd2

SHA1
3c5ee4ebc59087445de8c7b68ed313d48fb4ce97

SHA256
f21588fc43531fa04a5a8750c950348a12723c0a064848c703e5053af3284761

SHA512
5256b80bff9fcf8e3febfb8acfade2d179b163c1a851e313c994e225402b19efe5d807491964b188d6e05bf5a355df6cff0459a0fc104d28e832e2f64f9349cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu793875.exe

Filesize
472KB

MD5
ad8acf30550326d44436c0fc05262bd2

SHA1
3c5ee4ebc59087445de8c7b68ed313d48fb4ce97

SHA256
f21588fc43531fa04a5a8750c950348a12723c0a064848c703e5053af3284761

SHA512
5256b80bff9fcf8e3febfb8acfade2d179b163c1a851e313c994e225402b19efe5d807491964b188d6e05bf5a355df6cff0459a0fc104d28e832e2f64f9349cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
310c8398cab7052082dab3d226444409

SHA1
d0e9c8d877254589573db34d892ddf6240e03ad1

SHA256
4cfeb36154b5f9efc9de7917109f61e0c821fe7ec8e89880770c9c4d766fcccc

SHA512
345656535024892b04809553a82c438d2c988c0b0ec457ecd026da4088ae3fc3a18e2a53408f58b5dafd1a070a4b4adfc3b3c94260f0a8cb1af9c035bc575ee8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1568-999-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/1568-312-0x0000000000970000-0x00000000009B6000-memory.dmp

Filesize
280KB

Download
memory/1568-1005-0x0000000009580000-0x000000000959E000-memory.dmp

Filesize
120KB

Download
memory/1568-1004-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/1568-1003-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/1568-1002-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/1568-1001-0x0000000008B20000-0x0000000008B70000-memory.dmp

Filesize
320KB

Download
memory/1568-1000-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/1568-998-0x0000000005040000-0x000000000507C000-memory.dmp

Filesize
240KB

Download
memory/1568-997-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1568-996-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/1568-995-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/1568-994-0x0000000007A20000-0x0000000008038000-memory.dmp

Filesize
6.1MB

Download
memory/1568-199-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-198-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-201-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-203-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-205-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-207-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-209-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-211-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-215-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-213-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-217-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-219-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-221-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-223-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-225-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-227-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-229-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-231-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/1568-317-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1568-314-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1568-315-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1692-169-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-157-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1692-177-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-193-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/1692-179-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-190-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1692-173-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-189-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1692-188-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/1692-187-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-185-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-183-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-175-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-181-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-191-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1692-155-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/1692-156-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/1692-167-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-165-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-158-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1692-163-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-161-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-160-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-171-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/1692-159-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/4404-1013-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/4404-1012-0x0000000000350000-0x0000000000378000-memory.dmp

Filesize
160KB

Download
memory/5024-1019-0x0000000000B90000-0x0000000000BC5000-memory.dmp

Filesize
212KB

Download