658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3

Analysis

max time kernel
144s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 14:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe
Size

827KB
MD5

0e13dff14fa5e367f976aa952f6b9d7d
SHA1

df3448ee504cf1c5ead1656b6a789277ebb2eb52
SHA256

658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3
SHA512

282b93212fdba302094fe3e4f3ba2bc25acfbd3d047d51f092575336ed42231be94557971168e18f6ac635abb6d00e644425d05fc47f8c3c298feafc1709de42
SSDEEP

24576:Vy6Iij1O/xvq/z2kHc56hPeIQXoWw2NwEoOKsKG:wfi05vq/z6emIQXRNwEovv

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it163245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it163245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it163245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it163245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it163245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it163245.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lr518144.exe

Executes dropped EXE 9 IoCs

pid	Process
4504	ziFJ3499.exe
2720	zicn4479.exe
632	it163245.exe
3096	jr683040.exe
2272	kp880536.exe
5080	lr518144.exe
3608	oneetx.exe
3796	oneetx.exe
2312	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4708	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it163245.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziFJ3499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziFJ3499.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zicn4479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zicn4479.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
2112	3096	WerFault.exe	91
4736	5080	WerFault.exe	98
3520	5080	WerFault.exe	98
4388	5080	WerFault.exe	98
4204	5080	WerFault.exe	98
4832	5080	WerFault.exe	98
2212	5080	WerFault.exe	98
1432	5080	WerFault.exe	98
4332	5080	WerFault.exe	98
4868	5080	WerFault.exe	98
4372	5080	WerFault.exe	98
924	3608	WerFault.exe	118
1344	3608	WerFault.exe	118
3232	3608	WerFault.exe	118
832	3608	WerFault.exe	118
3880	3608	WerFault.exe	118
2288	3608	WerFault.exe	118
4180	3608	WerFault.exe	118
3892	3608	WerFault.exe	118
4756	3608	WerFault.exe	118
4100	3608	WerFault.exe	118
4976	3608	WerFault.exe	118
4320	3608	WerFault.exe	118
4240	3608	WerFault.exe	118
4736	3796	WerFault.exe	157
4592	3608	WerFault.exe	118
2520	3608	WerFault.exe	118
960	3608	WerFault.exe	118
2728	2312	WerFault.exe	167
3416	3608	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
632	it163245.exe
632	it163245.exe
3096	jr683040.exe
3096	jr683040.exe
2272	kp880536.exe
2272	kp880536.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	it163245.exe
Token: SeDebugPrivilege	3096	jr683040.exe
Token: SeDebugPrivilege	2272	kp880536.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5080	lr518144.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 4504	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	84
PID 1408 wrote to memory of 4504	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	84
PID 1408 wrote to memory of 4504	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	84
PID 4504 wrote to memory of 2720	4504	ziFJ3499.exe	85
PID 4504 wrote to memory of 2720	4504	ziFJ3499.exe	85
PID 4504 wrote to memory of 2720	4504	ziFJ3499.exe	85
PID 2720 wrote to memory of 632	2720	zicn4479.exe	86
PID 2720 wrote to memory of 632	2720	zicn4479.exe	86
PID 2720 wrote to memory of 3096	2720	zicn4479.exe	91
PID 2720 wrote to memory of 3096	2720	zicn4479.exe	91
PID 2720 wrote to memory of 3096	2720	zicn4479.exe	91
PID 4504 wrote to memory of 2272	4504	ziFJ3499.exe	97
PID 4504 wrote to memory of 2272	4504	ziFJ3499.exe	97
PID 4504 wrote to memory of 2272	4504	ziFJ3499.exe	97
PID 1408 wrote to memory of 5080	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	98
PID 1408 wrote to memory of 5080	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	98
PID 1408 wrote to memory of 5080	1408	658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe	98
PID 5080 wrote to memory of 3608	5080	lr518144.exe	118
PID 5080 wrote to memory of 3608	5080	lr518144.exe	118
PID 5080 wrote to memory of 3608	5080	lr518144.exe	118
PID 3608 wrote to memory of 3904	3608	oneetx.exe	135
PID 3608 wrote to memory of 3904	3608	oneetx.exe	135
PID 3608 wrote to memory of 3904	3608	oneetx.exe	135
PID 3608 wrote to memory of 2136	3608	oneetx.exe	141
PID 3608 wrote to memory of 2136	3608	oneetx.exe	141
PID 3608 wrote to memory of 2136	3608	oneetx.exe	141
PID 2136 wrote to memory of 1668	2136	cmd.exe	145
PID 2136 wrote to memory of 1668	2136	cmd.exe	145
PID 2136 wrote to memory of 1668	2136	cmd.exe	145
PID 2136 wrote to memory of 2736	2136	cmd.exe	146
PID 2136 wrote to memory of 2736	2136	cmd.exe	146
PID 2136 wrote to memory of 2736	2136	cmd.exe	146
PID 2136 wrote to memory of 3740	2136	cmd.exe	147
PID 2136 wrote to memory of 3740	2136	cmd.exe	147
PID 2136 wrote to memory of 3740	2136	cmd.exe	147
PID 2136 wrote to memory of 404	2136	cmd.exe	148
PID 2136 wrote to memory of 404	2136	cmd.exe	148
PID 2136 wrote to memory of 404	2136	cmd.exe	148
PID 2136 wrote to memory of 3264	2136	cmd.exe	149
PID 2136 wrote to memory of 3264	2136	cmd.exe	149
PID 2136 wrote to memory of 3264	2136	cmd.exe	149
PID 2136 wrote to memory of 4668	2136	cmd.exe	150
PID 2136 wrote to memory of 4668	2136	cmd.exe	150
PID 2136 wrote to memory of 4668	2136	cmd.exe	150
PID 3608 wrote to memory of 4708	3608	oneetx.exe	164
PID 3608 wrote to memory of 4708	3608	oneetx.exe	164
PID 3608 wrote to memory of 4708	3608	oneetx.exe	164

C:\Users\Admin\AppData\Local\Temp\658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe
"C:\Users\Admin\AppData\Local\Temp\658b705309da7090556695ec4565f5d889ee10597e4fc329f83add49a8f929d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFJ3499.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFJ3499.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicn4479.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicn4479.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it163245.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it163245.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr683040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr683040.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1328
        5⤵
        Program crash
        
        PID:2112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp880536.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp880536.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr518144.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr518144.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 708
    3⤵
    - Program crash
    PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 792
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 856
    3⤵
    - Program crash
    PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 864
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 852
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 992
    3⤵
    - Program crash
    PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1220
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1264
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1320
    3⤵
    - Program crash
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 704
      4⤵
      Program crash
      PID:924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 832
      4⤵
      Program crash
      PID:1344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 828
      4⤵
      Program crash
      PID:3232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1052
      4⤵
      Program crash
      PID:832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1072
      4⤵
      Program crash
      PID:3880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1088
      4⤵
      Program crash
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1064
      4⤵
      Program crash
      PID:4180
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1012
      4⤵
      Program crash
      PID:3892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1300
      4⤵
      Program crash
      PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:3740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:404
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1348
      4⤵
      Program crash
      PID:4100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1324
      4⤵
      Program crash
      PID:4976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 924
      4⤵
      Program crash
      PID:4320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1264
      4⤵
      Program crash
      PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1088
      4⤵
      Program crash
      PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1616
      4⤵
      Program crash
      PID:2520
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1576
      4⤵
      Program crash
      PID:960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1632
      4⤵
      Program crash
      PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1356
    3⤵
    - Program crash
    PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3096 -ip 3096
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5080 -ip 5080
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5080 -ip 5080
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5080 -ip 5080
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5080 -ip 5080
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5080 -ip 5080
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5080 -ip 5080
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5080 -ip 5080
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5080 -ip 5080
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5080 -ip 5080
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3608 -ip 3608
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3608 -ip 3608
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3608 -ip 3608
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3608 -ip 3608
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3608 -ip 3608
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3608 -ip 3608
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3608 -ip 3608
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3608 -ip 3608
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3608 -ip 3608
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3608 -ip 3608
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 356
  2⤵
  - Program crash
  PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3796 -ip 3796
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3608 -ip 3608
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3608 -ip 3608
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3608 -ip 3608
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 420
  2⤵
  - Program crash
  PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2312 -ip 2312
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3608 -ip 3608
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr518144.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr518144.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFJ3499.exe

Filesize
569KB

MD5
2988670fbb04e65b12d3c96b0af2e0a0

SHA1
ba98d50f75371172855e969545188ae5ad7d5cec

SHA256
a540f2552cb41306da13b80117aa49296b780ad1461418645d220eb08af3c13c

SHA512
2cba71752464cf9d1ea9d494c1fdbf637aceb86dac86a52182720994d23ce6698beea25fcf31f55dddd664a95543ddd5f3c3883300b656b2b227b57a89d8e7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziFJ3499.exe

Filesize
569KB

MD5
2988670fbb04e65b12d3c96b0af2e0a0

SHA1
ba98d50f75371172855e969545188ae5ad7d5cec

SHA256
a540f2552cb41306da13b80117aa49296b780ad1461418645d220eb08af3c13c

SHA512
2cba71752464cf9d1ea9d494c1fdbf637aceb86dac86a52182720994d23ce6698beea25fcf31f55dddd664a95543ddd5f3c3883300b656b2b227b57a89d8e7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp880536.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp880536.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicn4479.exe

Filesize
415KB

MD5
4a485afabe492b1befdbd982c00c0e1a

SHA1
c4bb96bee163dfc5512a5d5fdb99b5b3e4baa457

SHA256
1bfde149bb08189d246e82dafa9bb98a9c0e91be1f213d49d662fc743f9d043e

SHA512
a6f62b5072969f6387a0c9d3d8a24f12e6aca3c7f86c7b9668b7eaa9e4818051621f0ffa6da7f1e7692ec966d22b4639ed4ae1707a2dbf80c9f3b5f2f7b3e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicn4479.exe

Filesize
415KB

MD5
4a485afabe492b1befdbd982c00c0e1a

SHA1
c4bb96bee163dfc5512a5d5fdb99b5b3e4baa457

SHA256
1bfde149bb08189d246e82dafa9bb98a9c0e91be1f213d49d662fc743f9d043e

SHA512
a6f62b5072969f6387a0c9d3d8a24f12e6aca3c7f86c7b9668b7eaa9e4818051621f0ffa6da7f1e7692ec966d22b4639ed4ae1707a2dbf80c9f3b5f2f7b3e4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it163245.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it163245.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr683040.exe

Filesize
360KB

MD5
7115d19c34ddf1462ed61350543f56eb

SHA1
6890e27bf2cf1ee07834c9aa064de27b0d46f63a

SHA256
e21072ac4a5db47e8c8c1227e70fae3fb99b5c3d364d3452523a4343b2851b65

SHA512
f2bed3424186d8853d158205ceaca4e6f5a523443a875c8fb19c650cc6f39ded0558448b6bf0d73baa74c04c235db7159890df82d96f2ebad05be20d9229f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr683040.exe

Filesize
360KB

MD5
7115d19c34ddf1462ed61350543f56eb

SHA1
6890e27bf2cf1ee07834c9aa064de27b0d46f63a

SHA256
e21072ac4a5db47e8c8c1227e70fae3fb99b5c3d364d3452523a4343b2851b65

SHA512
f2bed3424186d8853d158205ceaca4e6f5a523443a875c8fb19c650cc6f39ded0558448b6bf0d73baa74c04c235db7159890df82d96f2ebad05be20d9229f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
256KB

MD5
588f4820cf625ea01c5a4c673a4ac91b

SHA1
68d0e76142eb68593fd55cb8929beb75ecf0f580

SHA256
310ed3d1c6ff08ead13336657b0697cc8e0534337af84666fa30b74e65187f23

SHA512
98f7a6b898f4dd48bf13b6977b60c20365676f771f7aeadfd573b6f7600fe9b2c9a25d8574e39ad4b58e79108d6ac1afd22f361bc520af341a8a5b00273a0dc1

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/632-154-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2272-975-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/2272-974-0x0000000000B40000-0x0000000000B68000-memory.dmp

Filesize
160KB

Download
memory/3096-201-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-227-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-181-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-183-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-185-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-187-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-189-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-191-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-193-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-195-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-197-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-199-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-177-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-203-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-205-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-207-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-209-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-213-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-211-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-215-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-217-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-219-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-221-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-223-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-225-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-179-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-956-0x0000000009CE0000-0x000000000A2F8000-memory.dmp

Filesize
6.1MB

Download
memory/3096-957-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3096-958-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/3096-959-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3096-960-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3096-961-0x000000000A750000-0x000000000A7B6000-memory.dmp

Filesize
408KB

Download
memory/3096-962-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/3096-963-0x000000000AFE0000-0x000000000B056000-memory.dmp

Filesize
472KB

Download
memory/3096-173-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-175-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-964-0x000000000B0B0000-0x000000000B272000-memory.dmp

Filesize
1.8MB

Download
memory/3096-965-0x000000000B2D0000-0x000000000B7FC000-memory.dmp

Filesize
5.2MB

Download
memory/3096-966-0x000000000B8D0000-0x000000000B8EE000-memory.dmp

Filesize
120KB

Download
memory/3096-967-0x0000000006D40000-0x0000000006D90000-memory.dmp

Filesize
320KB

Download
memory/3096-160-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/3096-171-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-169-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-167-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-165-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-164-0x0000000004B70000-0x0000000004BA5000-memory.dmp

Filesize
212KB

Download
memory/3096-163-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3096-162-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/3096-161-0x0000000002D30000-0x0000000002D76000-memory.dmp

Filesize
280KB

Download
memory/5080-981-0x0000000002E10000-0x0000000002E45000-memory.dmp

Filesize
212KB

Download