ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe
Size

827KB
MD5

1dcac0fdb8c9472e4483b3f5bf3982d4
SHA1

5741fe0081378510fd27d47f8f0038448c57077e
SHA256

ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd
SHA512

583c8202367d735c53cfd4cb968932aa270351515394f2544c4d3d67207375eed544f6caa088f27caed9f67751008c5959a166af23277f0255857e8675b807b4
SSDEEP

12288:Vy90IoJb8BPlg5eaSZDbrHGzCALnfC+EVjmznWQnRCV14fR8:Vyrwb6DbizCALnfC+ETIHK

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it506298.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it506298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it506298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it506298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it506298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it506298.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lr428661.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1252	zitE6199.exe
2016	ziGu4582.exe
2360	it506298.exe
328	jr454693.exe
2236	kp796606.exe
3808	lr428661.exe
5048	oneetx.exe
2532	oneetx.exe
2444	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2496	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it506298.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zitE6199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zitE6199.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziGu4582.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziGu4582.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
508	328	WerFault.exe	89
708	3808	WerFault.exe	93
4084	3808	WerFault.exe	93
3660	3808	WerFault.exe	93
4620	3808	WerFault.exe	93
2320	3808	WerFault.exe	93
1944	3808	WerFault.exe	93
1060	3808	WerFault.exe	93
4912	3808	WerFault.exe	93
1976	3808	WerFault.exe	93
3216	3808	WerFault.exe	93
1144	5048	WerFault.exe	113
656	5048	WerFault.exe	113
4592	5048	WerFault.exe	113
4112	5048	WerFault.exe	113
4236	5048	WerFault.exe	113
3968	5048	WerFault.exe	113
4196	5048	WerFault.exe	113
2472	5048	WerFault.exe	113
1820	5048	WerFault.exe	113
3144	5048	WerFault.exe	113
4420	5048	WerFault.exe	113
4152	5048	WerFault.exe	113
1208	5048	WerFault.exe	113
3380	5048	WerFault.exe	113
3880	2532	WerFault.exe	154
3492	5048	WerFault.exe	113
4680	5048	WerFault.exe	113
2152	5048	WerFault.exe	113
5012	2444	WerFault.exe	164

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2360	it506298.exe
2360	it506298.exe
328	jr454693.exe
328	jr454693.exe
2236	kp796606.exe
2236	kp796606.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	it506298.exe
Token: SeDebugPrivilege	328	jr454693.exe
Token: SeDebugPrivilege	2236	kp796606.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3808	lr428661.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1252	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	84
PID 2884 wrote to memory of 1252	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	84
PID 2884 wrote to memory of 1252	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	84
PID 1252 wrote to memory of 2016	1252	zitE6199.exe	85
PID 1252 wrote to memory of 2016	1252	zitE6199.exe	85
PID 1252 wrote to memory of 2016	1252	zitE6199.exe	85
PID 2016 wrote to memory of 2360	2016	ziGu4582.exe	86
PID 2016 wrote to memory of 2360	2016	ziGu4582.exe	86
PID 2016 wrote to memory of 328	2016	ziGu4582.exe	89
PID 2016 wrote to memory of 328	2016	ziGu4582.exe	89
PID 2016 wrote to memory of 328	2016	ziGu4582.exe	89
PID 1252 wrote to memory of 2236	1252	zitE6199.exe	92
PID 1252 wrote to memory of 2236	1252	zitE6199.exe	92
PID 1252 wrote to memory of 2236	1252	zitE6199.exe	92
PID 2884 wrote to memory of 3808	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	93
PID 2884 wrote to memory of 3808	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	93
PID 2884 wrote to memory of 3808	2884	ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe	93
PID 3808 wrote to memory of 5048	3808	lr428661.exe	113
PID 3808 wrote to memory of 5048	3808	lr428661.exe	113
PID 3808 wrote to memory of 5048	3808	lr428661.exe	113
PID 5048 wrote to memory of 1828	5048	oneetx.exe	130
PID 5048 wrote to memory of 1828	5048	oneetx.exe	130
PID 5048 wrote to memory of 1828	5048	oneetx.exe	130
PID 5048 wrote to memory of 1736	5048	oneetx.exe	136
PID 5048 wrote to memory of 1736	5048	oneetx.exe	136
PID 5048 wrote to memory of 1736	5048	oneetx.exe	136
PID 1736 wrote to memory of 1856	1736	cmd.exe	139
PID 1736 wrote to memory of 1856	1736	cmd.exe	139
PID 1736 wrote to memory of 1856	1736	cmd.exe	139
PID 1736 wrote to memory of 1472	1736	cmd.exe	141
PID 1736 wrote to memory of 1472	1736	cmd.exe	141
PID 1736 wrote to memory of 1472	1736	cmd.exe	141
PID 1736 wrote to memory of 4436	1736	cmd.exe	142
PID 1736 wrote to memory of 4436	1736	cmd.exe	142
PID 1736 wrote to memory of 4436	1736	cmd.exe	142
PID 1736 wrote to memory of 2860	1736	cmd.exe	144
PID 1736 wrote to memory of 2860	1736	cmd.exe	144
PID 1736 wrote to memory of 2860	1736	cmd.exe	144
PID 1736 wrote to memory of 1732	1736	cmd.exe	143
PID 1736 wrote to memory of 1732	1736	cmd.exe	143
PID 1736 wrote to memory of 1732	1736	cmd.exe	143
PID 1736 wrote to memory of 776	1736	cmd.exe	145
PID 1736 wrote to memory of 776	1736	cmd.exe	145
PID 1736 wrote to memory of 776	1736	cmd.exe	145
PID 5048 wrote to memory of 2496	5048	oneetx.exe	159
PID 5048 wrote to memory of 2496	5048	oneetx.exe	159
PID 5048 wrote to memory of 2496	5048	oneetx.exe	159

C:\Users\Admin\AppData\Local\Temp\ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe
"C:\Users\Admin\AppData\Local\Temp\ac3007c94b5c8cc7c49250149354a06de4c42965e10a920ad0fe5fed47cec3dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitE6199.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitE6199.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGu4582.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGu4582.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it506298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it506298.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr454693.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr454693.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 1356
        5⤵
        Program crash
        
        PID:508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp796606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp796606.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428661.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428661.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 712
    3⤵
    - Program crash
    PID:708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 796
    3⤵
    - Program crash
    PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 808
    3⤵
    - Program crash
    PID:3660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 980
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1004
    3⤵
    - Program crash
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1004
    3⤵
    - Program crash
    PID:1944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1216
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1244
    3⤵
    - Program crash
    PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1320
    3⤵
    - Program crash
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 588
      4⤵
      Program crash
      PID:1144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 840
      4⤵
      Program crash
      PID:656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 900
      4⤵
      Program crash
      PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1056
      4⤵
      Program crash
      PID:4112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1076
      4⤵
      Program crash
      PID:4236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1100
      4⤵
      Program crash
      PID:3968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1136
      4⤵
      Program crash
      PID:4196
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 996
      4⤵
      Program crash
      PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1304
      4⤵
      Program crash
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1256
      4⤵
      Program crash
      PID:3144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 772
      4⤵
      Program crash
      PID:4420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 792
      4⤵
      Program crash
      PID:4152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1320
      4⤵
      Program crash
      PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1104
      4⤵
      Program crash
      PID:3380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1608
      4⤵
      Program crash
      PID:3492
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1104
      4⤵
      Program crash
      PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 1620
      4⤵
      Program crash
      PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1416
    3⤵
    - Program crash
    PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 328 -ip 328
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3808 -ip 3808
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3808 -ip 3808
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3808 -ip 3808
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3808 -ip 3808
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3808 -ip 3808
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3808 -ip 3808
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3808 -ip 3808
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3808 -ip 3808
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3808 -ip 3808
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5048 -ip 5048
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5048 -ip 5048
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5048 -ip 5048
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5048 -ip 5048
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5048 -ip 5048
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5048 -ip 5048
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5048 -ip 5048
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5048 -ip 5048
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5048 -ip 5048
1⤵
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5048 -ip 5048
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5048 -ip 5048
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5048 -ip 5048
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5048 -ip 5048
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 424
  2⤵
  - Program crash
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2532 -ip 2532
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5048 -ip 5048
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5048 -ip 5048
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5048 -ip 5048
1⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 424
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2444 -ip 2444
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428661.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428661.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitE6199.exe

Filesize
568KB

MD5
60b49202742c4c49ba65fc908ce3a491

SHA1
5656af535e9685e1947b60c36bfa6918426fb569

SHA256
f41d8bc0ee0c19297cecf7c9e6c98fbc499136e7f2db8a51b835db9d69f49fd6

SHA512
1c312518235412978aab90679e26df70758832b44d02d6791f36981382c331c0c79a8957b4267548694d6bec15c3a6b0e4c30c27965956aeea5a73abf6779bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitE6199.exe

Filesize
568KB

MD5
60b49202742c4c49ba65fc908ce3a491

SHA1
5656af535e9685e1947b60c36bfa6918426fb569

SHA256
f41d8bc0ee0c19297cecf7c9e6c98fbc499136e7f2db8a51b835db9d69f49fd6

SHA512
1c312518235412978aab90679e26df70758832b44d02d6791f36981382c331c0c79a8957b4267548694d6bec15c3a6b0e4c30c27965956aeea5a73abf6779bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp796606.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp796606.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGu4582.exe

Filesize
414KB

MD5
2dc6d266e5271998bed1938dd2bf5c26

SHA1
76e108dacd2cb23e070763f0320b5b4349e51a3f

SHA256
a01ed287f506fb7e29a3c9e93ac14db4433fb26b933a22a301cb221bea341e71

SHA512
3b4ca0a662d1185f94d4f33e8e857b491e7eea6dc8aca424402fb527610648be6f428eacb7ed87cf04a0a2580a36c1e95f9db68e5e3457d7cf061e0bfbb4e9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziGu4582.exe

Filesize
414KB

MD5
2dc6d266e5271998bed1938dd2bf5c26

SHA1
76e108dacd2cb23e070763f0320b5b4349e51a3f

SHA256
a01ed287f506fb7e29a3c9e93ac14db4433fb26b933a22a301cb221bea341e71

SHA512
3b4ca0a662d1185f94d4f33e8e857b491e7eea6dc8aca424402fb527610648be6f428eacb7ed87cf04a0a2580a36c1e95f9db68e5e3457d7cf061e0bfbb4e9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it506298.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it506298.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr454693.exe

Filesize
360KB

MD5
b7db1ab43b1790e54a77f02c386687da

SHA1
c433c86ba875089686766a52b2b9d1fc1222fff2

SHA256
e0bc992f38e38b0cbc5e409988bf4c52b1a3db2aeb8534165b09e279bc1d9d5e

SHA512
6d5748163002a4ea344b5eaa16e750ace47e0b08c7250f60c474942033d876dd3286aad0d0dda35c36f9ecb63921aeb664007609a84f85abc113df74e803a4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr454693.exe

Filesize
360KB

MD5
b7db1ab43b1790e54a77f02c386687da

SHA1
c433c86ba875089686766a52b2b9d1fc1222fff2

SHA256
e0bc992f38e38b0cbc5e409988bf4c52b1a3db2aeb8534165b09e279bc1d9d5e

SHA512
6d5748163002a4ea344b5eaa16e750ace47e0b08c7250f60c474942033d876dd3286aad0d0dda35c36f9ecb63921aeb664007609a84f85abc113df74e803a4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/328-203-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-227-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-177-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-179-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-181-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-183-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-185-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-187-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-189-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-191-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-193-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-195-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-197-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-199-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-201-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-173-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-205-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-207-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-209-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-211-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-213-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-215-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-217-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-219-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-221-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-223-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-225-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-175-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-956-0x0000000009E60000-0x000000000A478000-memory.dmp

Filesize
6.1MB

Download
memory/328-957-0x00000000073F0000-0x0000000007402000-memory.dmp

Filesize
72KB

Download
memory/328-958-0x000000000A480000-0x000000000A58A000-memory.dmp

Filesize
1.0MB

Download
memory/328-959-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/328-960-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/328-961-0x000000000A890000-0x000000000A8F6000-memory.dmp

Filesize
408KB

Download
memory/328-962-0x000000000AF60000-0x000000000AFF2000-memory.dmp

Filesize
584KB

Download
memory/328-963-0x000000000B010000-0x000000000B060000-memory.dmp

Filesize
320KB

Download
memory/328-964-0x000000000B070000-0x000000000B0E6000-memory.dmp

Filesize
472KB

Download
memory/328-965-0x000000000B140000-0x000000000B302000-memory.dmp

Filesize
1.8MB

Download
memory/328-966-0x000000000B360000-0x000000000B88C000-memory.dmp

Filesize
5.2MB

Download
memory/328-967-0x000000000B960000-0x000000000B97E000-memory.dmp

Filesize
120KB

Download
memory/328-160-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/328-161-0x00000000047F0000-0x0000000004836000-memory.dmp

Filesize
280KB

Download
memory/328-163-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/328-162-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/328-171-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-169-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-167-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-165-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/328-164-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/2236-975-0x0000000007B20000-0x0000000007B30000-memory.dmp

Filesize
64KB

Download
memory/2236-974-0x0000000000A10000-0x0000000000A38000-memory.dmp

Filesize
160KB

Download
memory/2360-154-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/3808-981-0x00000000047B0000-0x00000000047E5000-memory.dmp

Filesize
212KB

Download