588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe
Size

828KB
MD5

51c19769cc22d3eb7091e98d437462f9
SHA1

05b1fc307f7762910e595d88bf14c5dbe3d5f7d8
SHA256

588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962
SHA512

2bde5efd8c8f116412220b1575b48a922e923a9debe7b581cd094471ac232f7163aa5b7e5a35cbbf0e12d19c2136bfefa20caabb6e714b096086458c1e9971b5
SSDEEP

24576:pyKk1caztxgtX8HeVgVm6h9XEeaUyv1C:cKk1Jz0tM+VgVRHXZ09

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it537572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it537572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it537572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it537572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it537572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it537572.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr819646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1148	ziLc7537.exe
1564	zizV0075.exe
2264	it537572.exe
652	jr967151.exe
3956	kp861999.exe
1068	lr819646.exe
1580	oneetx.exe
4224	oneetx.exe
1876	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it537572.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zizV0075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zizV0075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziLc7537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziLc7537.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3800	652	WerFault.exe	85
2804	1068	WerFault.exe	90
4220	1068	WerFault.exe	90
4632	1068	WerFault.exe	90
4944	1068	WerFault.exe	90
2432	1068	WerFault.exe	90
240	1068	WerFault.exe	90
1468	1068	WerFault.exe	90
1424	1068	WerFault.exe	90
5000	1068	WerFault.exe	90
3328	1068	WerFault.exe	90
4824	1580	WerFault.exe	109
2864	1580	WerFault.exe	109
4976	1580	WerFault.exe	109
1880	1580	WerFault.exe	109
1652	1580	WerFault.exe	109
3296	1580	WerFault.exe	109
4120	1580	WerFault.exe	109
924	1580	WerFault.exe	109
4500	1580	WerFault.exe	109
4884	1580	WerFault.exe	109
1192	1580	WerFault.exe	109
4352	1580	WerFault.exe	109
3320	1580	WerFault.exe	109
1128	1580	WerFault.exe	109
3244	4224	WerFault.exe	150
2096	1580	WerFault.exe	109
2140	1580	WerFault.exe	109
2612	1580	WerFault.exe	109
1664	1876	WerFault.exe	160

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2264	it537572.exe
2264	it537572.exe
652	jr967151.exe
652	jr967151.exe
3956	kp861999.exe
3956	kp861999.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	it537572.exe
Token: SeDebugPrivilege	652	jr967151.exe
Token: SeDebugPrivilege	3956	kp861999.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1068	lr819646.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1148	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	80
PID 1436 wrote to memory of 1148	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	80
PID 1436 wrote to memory of 1148	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	80
PID 1148 wrote to memory of 1564	1148	ziLc7537.exe	81
PID 1148 wrote to memory of 1564	1148	ziLc7537.exe	81
PID 1148 wrote to memory of 1564	1148	ziLc7537.exe	81
PID 1564 wrote to memory of 2264	1564	zizV0075.exe	82
PID 1564 wrote to memory of 2264	1564	zizV0075.exe	82
PID 1564 wrote to memory of 652	1564	zizV0075.exe	85
PID 1564 wrote to memory of 652	1564	zizV0075.exe	85
PID 1564 wrote to memory of 652	1564	zizV0075.exe	85
PID 1148 wrote to memory of 3956	1148	ziLc7537.exe	89
PID 1148 wrote to memory of 3956	1148	ziLc7537.exe	89
PID 1148 wrote to memory of 3956	1148	ziLc7537.exe	89
PID 1436 wrote to memory of 1068	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	90
PID 1436 wrote to memory of 1068	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	90
PID 1436 wrote to memory of 1068	1436	588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe	90
PID 1068 wrote to memory of 1580	1068	lr819646.exe	109
PID 1068 wrote to memory of 1580	1068	lr819646.exe	109
PID 1068 wrote to memory of 1580	1068	lr819646.exe	109
PID 1580 wrote to memory of 3980	1580	oneetx.exe	126
PID 1580 wrote to memory of 3980	1580	oneetx.exe	126
PID 1580 wrote to memory of 3980	1580	oneetx.exe	126
PID 1580 wrote to memory of 1200	1580	oneetx.exe	132
PID 1580 wrote to memory of 1200	1580	oneetx.exe	132
PID 1580 wrote to memory of 1200	1580	oneetx.exe	132
PID 1200 wrote to memory of 2160	1200	cmd.exe	136
PID 1200 wrote to memory of 2160	1200	cmd.exe	136
PID 1200 wrote to memory of 2160	1200	cmd.exe	136
PID 1200 wrote to memory of 4556	1200	cmd.exe	137
PID 1200 wrote to memory of 4556	1200	cmd.exe	137
PID 1200 wrote to memory of 4556	1200	cmd.exe	137
PID 1200 wrote to memory of 396	1200	cmd.exe	138
PID 1200 wrote to memory of 396	1200	cmd.exe	138
PID 1200 wrote to memory of 396	1200	cmd.exe	138
PID 1200 wrote to memory of 3464	1200	cmd.exe	139
PID 1200 wrote to memory of 3464	1200	cmd.exe	139
PID 1200 wrote to memory of 3464	1200	cmd.exe	139
PID 1200 wrote to memory of 4360	1200	cmd.exe	140
PID 1200 wrote to memory of 4360	1200	cmd.exe	140
PID 1200 wrote to memory of 4360	1200	cmd.exe	140
PID 1200 wrote to memory of 1884	1200	cmd.exe	141
PID 1200 wrote to memory of 1884	1200	cmd.exe	141
PID 1200 wrote to memory of 1884	1200	cmd.exe	141
PID 1580 wrote to memory of 2888	1580	oneetx.exe	155
PID 1580 wrote to memory of 2888	1580	oneetx.exe	155
PID 1580 wrote to memory of 2888	1580	oneetx.exe	155

C:\Users\Admin\AppData\Local\Temp\588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe
"C:\Users\Admin\AppData\Local\Temp\588c1281c49da369ab2b8944da8f2df94fa292b19e5de158dc345112e01d6962.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLc7537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLc7537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizV0075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizV0075.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it537572.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it537572.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr967151.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr967151.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 1188
        5⤵
        Program crash
        
        PID:3800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp861999.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp861999.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819646.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819646.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 708
    3⤵
    - Program crash
    PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 788
    3⤵
    - Program crash
    PID:4220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 856
    3⤵
    - Program crash
    PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 952
    3⤵
    - Program crash
    PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 960
    3⤵
    - Program crash
    PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 960
    3⤵
    - Program crash
    PID:240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1216
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1208
    3⤵
    - Program crash
    PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1316
    3⤵
    - Program crash
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 636
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 836
      4⤵
      Program crash
      PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 892
      4⤵
      Program crash
      PID:4976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1052
      4⤵
      Program crash
      PID:1880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1060
      4⤵
      Program crash
      PID:1652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1060
      4⤵
      Program crash
      PID:3296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1072
      4⤵
      Program crash
      PID:4120
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 992
      4⤵
      Program crash
      PID:924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1320
      4⤵
      Program crash
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4360
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:1884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 764
      4⤵
      Program crash
      PID:4884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1296
      4⤵
      Program crash
      PID:1192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1292
      4⤵
      Program crash
      PID:4352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 892
      4⤵
      Program crash
      PID:3320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1112
      4⤵
      Program crash
      PID:1128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1616
      4⤵
      Program crash
      PID:2096
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1112
      4⤵
      Program crash
      PID:2140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1628
      4⤵
      Program crash
      PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 764
    3⤵
    - Program crash
    PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 652 -ip 652
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1068 -ip 1068
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 1068
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1068 -ip 1068
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1068 -ip 1068
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1068 -ip 1068
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1068 -ip 1068
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1068 -ip 1068
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1068 -ip 1068
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1068 -ip 1068
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1068 -ip 1068
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1580 -ip 1580
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1580 -ip 1580
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1580 -ip 1580
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1580 -ip 1580
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1580 -ip 1580
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1580 -ip 1580
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1580 -ip 1580
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1580 -ip 1580
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1580 -ip 1580
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1580 -ip 1580
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1580 -ip 1580
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1580 -ip 1580
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1580 -ip 1580
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1580 -ip 1580
1⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 428
  2⤵
  - Program crash
  PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4224 -ip 4224
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1580 -ip 1580
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1580 -ip 1580
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1580 -ip 1580
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 428
  2⤵
  - Program crash
  PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1876 -ip 1876
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819646.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819646.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLc7537.exe

Filesize
569KB

MD5
8dd14095b7811be97009353a39d1fd7a

SHA1
dac84b828f36de28acfdafbef3331191c7531c27

SHA256
8536beda1241f7bc81edc5968acd36c42b1b5ef527ff6aff777c46151bad58d8

SHA512
c07d101c62ad034ab0aace842a461085f350e3eb4f7ab948603ac4bbd37a369ab105b65e85c2af8effafb6de50af049aef53a517dffdbe9206db1e2f59ed959c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLc7537.exe

Filesize
569KB

MD5
8dd14095b7811be97009353a39d1fd7a

SHA1
dac84b828f36de28acfdafbef3331191c7531c27

SHA256
8536beda1241f7bc81edc5968acd36c42b1b5ef527ff6aff777c46151bad58d8

SHA512
c07d101c62ad034ab0aace842a461085f350e3eb4f7ab948603ac4bbd37a369ab105b65e85c2af8effafb6de50af049aef53a517dffdbe9206db1e2f59ed959c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp861999.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp861999.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizV0075.exe

Filesize
415KB

MD5
ab4afdee687799cb277a0909d880c4c4

SHA1
aaf935e34fc6fb4c06f3d076c28f3672549f9c8a

SHA256
277b7f0685a9fc6aa0ca6961fb7c336817972a85d03e6dc93dc9902621f8936d

SHA512
e3a1cb1a2e40f4b1221159fdd61be89d6696078a3f71ab91080b4ea16816e08d81f4cc4c98eaa5109c0dcc94849ada488f9d17f780bb76375cebec01aefa1a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zizV0075.exe

Filesize
415KB

MD5
ab4afdee687799cb277a0909d880c4c4

SHA1
aaf935e34fc6fb4c06f3d076c28f3672549f9c8a

SHA256
277b7f0685a9fc6aa0ca6961fb7c336817972a85d03e6dc93dc9902621f8936d

SHA512
e3a1cb1a2e40f4b1221159fdd61be89d6696078a3f71ab91080b4ea16816e08d81f4cc4c98eaa5109c0dcc94849ada488f9d17f780bb76375cebec01aefa1a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it537572.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it537572.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr967151.exe

Filesize
360KB

MD5
658e270109607fcefde76160cece502d

SHA1
e75d73c3232edad81637000b247b5bf525332a06

SHA256
0bdc82fd0f43d9c63ae5debc2c17da9330e4a105fb6c22e1e924809f9743a246

SHA512
2863725ab6c1971b66bc380b3b7b316cb6a64889250e03020fc0dec67fab5d68816bc6a597ea70e7df4f2ec622d0a2974f0a14ffd167ae07a3b58e9aee49caae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr967151.exe

Filesize
360KB

MD5
658e270109607fcefde76160cece502d

SHA1
e75d73c3232edad81637000b247b5bf525332a06

SHA256
0bdc82fd0f43d9c63ae5debc2c17da9330e4a105fb6c22e1e924809f9743a246

SHA512
2863725ab6c1971b66bc380b3b7b316cb6a64889250e03020fc0dec67fab5d68816bc6a597ea70e7df4f2ec622d0a2974f0a14ffd167ae07a3b58e9aee49caae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
0a562ee4adb5f857c0b0e8f5d29f7fb1

SHA1
7627c87279be6af92d8c158b63f0d69b285a6008

SHA256
b5f4c1bcb4078132fb44e4954555ade61e27491fad457772f67a95aa319b33e2

SHA512
5fd7d87d9b56c9f425bea1e9e39524b4f21112eb8422c215cf84dfe1a5c93b3ab1c3c0350477843fcf2d4ca4932e504ad1ea169390aa7dd3a2c068ec0c7eb21c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/652-204-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-228-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-178-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-180-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-182-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-184-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-186-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-188-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-190-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-192-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-194-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-196-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-198-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-200-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-202-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-174-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-206-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-208-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-210-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-212-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-214-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-216-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-218-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-220-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-222-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-224-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-226-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-176-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-957-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/652-958-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/652-959-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/652-960-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/652-961-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/652-962-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/652-963-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/652-964-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/652-965-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/652-966-0x000000000B020000-0x000000000B070000-memory.dmp

Filesize
320KB

Download
memory/652-967-0x000000000B2E0000-0x000000000B4A2000-memory.dmp

Filesize
1.8MB

Download
memory/652-968-0x000000000B6C0000-0x000000000BBEC000-memory.dmp

Filesize
5.2MB

Download
memory/652-160-0x0000000007120000-0x00000000076C4000-memory.dmp

Filesize
5.6MB

Download
memory/652-161-0x0000000003070000-0x00000000030B6000-memory.dmp

Filesize
280KB

Download
memory/652-172-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-163-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/652-170-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-168-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-166-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-165-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/652-162-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/652-164-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1068-982-0x0000000002D60000-0x0000000002D95000-memory.dmp

Filesize
212KB

Download
memory/2264-154-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/3956-975-0x00000000004A0000-0x00000000004C8000-memory.dmp

Filesize
160KB

Download
memory/3956-976-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download