a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a

Analysis

max time kernel
145s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 23:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe
Size

919KB
MD5

bd8ee03ed4e33ffa34b7822386303d1e
SHA1

770024dc4883ec96619be4cfc5bb8296564038f2
SHA256

a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a
SHA512

959de1a78fff8aa2e685a5eec2b79d2f038a20e44cd5a0f0816a89a14e7d882212db54f2906471ff1a7951989856656356af63c0f8e11034befb331be95c730e
SSDEEP

24576:Ky833b7o0IVYTSMWt3YCsKK11LAgK3mvbRioxME+:R03v3TSMWpujL83ybRio6

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it318510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it318510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it318510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it318510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it318510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it318510.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lr472464.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4432	ziLX8196.exe
3684	ziEY3560.exe
3448	it318510.exe
3960	jr480470.exe
1292	kp085408.exe
1212	lr472464.exe
4556	oneetx.exe
5000	oneetx.exe
2960	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3968	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it318510.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziLX8196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziLX8196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEY3560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziEY3560.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3528	3960	WerFault.exe	87
4696	1212	WerFault.exe	93
492	1212	WerFault.exe	93
2432	1212	WerFault.exe	93
4252	1212	WerFault.exe	93
1928	1212	WerFault.exe	93
1676	1212	WerFault.exe	93
5052	1212	WerFault.exe	93
4500	1212	WerFault.exe	93
4588	1212	WerFault.exe	93
4444	1212	WerFault.exe	93
4496	4556	WerFault.exe	113
376	4556	WerFault.exe	113
1160	4556	WerFault.exe	113
2608	4556	WerFault.exe	113
2600	4556	WerFault.exe	113
4476	4556	WerFault.exe	113
2228	4556	WerFault.exe	113
2916	4556	WerFault.exe	113
4788	4556	WerFault.exe	113
1624	4556	WerFault.exe	113
3260	4556	WerFault.exe	113
692	4556	WerFault.exe	113
4220	4556	WerFault.exe	113
3528	4556	WerFault.exe	113
4664	5000	WerFault.exe	154
4416	4556	WerFault.exe	113
5116	4556	WerFault.exe	113
2432	4556	WerFault.exe	113
1908	2960	WerFault.exe	164

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3448	it318510.exe
3448	it318510.exe
3960	jr480470.exe
3960	jr480470.exe
1292	kp085408.exe
1292	kp085408.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	it318510.exe
Token: SeDebugPrivilege	3960	jr480470.exe
Token: SeDebugPrivilege	1292	kp085408.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1212	lr472464.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4432	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	76
PID 4808 wrote to memory of 4432	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	76
PID 4808 wrote to memory of 4432	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	76
PID 4432 wrote to memory of 3684	4432	ziLX8196.exe	77
PID 4432 wrote to memory of 3684	4432	ziLX8196.exe	77
PID 4432 wrote to memory of 3684	4432	ziLX8196.exe	77
PID 3684 wrote to memory of 3448	3684	ziEY3560.exe	78
PID 3684 wrote to memory of 3448	3684	ziEY3560.exe	78
PID 3684 wrote to memory of 3960	3684	ziEY3560.exe	87
PID 3684 wrote to memory of 3960	3684	ziEY3560.exe	87
PID 3684 wrote to memory of 3960	3684	ziEY3560.exe	87
PID 4432 wrote to memory of 1292	4432	ziLX8196.exe	92
PID 4432 wrote to memory of 1292	4432	ziLX8196.exe	92
PID 4432 wrote to memory of 1292	4432	ziLX8196.exe	92
PID 4808 wrote to memory of 1212	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	93
PID 4808 wrote to memory of 1212	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	93
PID 4808 wrote to memory of 1212	4808	a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe	93
PID 1212 wrote to memory of 4556	1212	lr472464.exe	113
PID 1212 wrote to memory of 4556	1212	lr472464.exe	113
PID 1212 wrote to memory of 4556	1212	lr472464.exe	113
PID 4556 wrote to memory of 3864	4556	oneetx.exe	130
PID 4556 wrote to memory of 3864	4556	oneetx.exe	130
PID 4556 wrote to memory of 3864	4556	oneetx.exe	130
PID 4556 wrote to memory of 3296	4556	oneetx.exe	136
PID 4556 wrote to memory of 3296	4556	oneetx.exe	136
PID 4556 wrote to memory of 3296	4556	oneetx.exe	136
PID 3296 wrote to memory of 1568	3296	cmd.exe	140
PID 3296 wrote to memory of 1568	3296	cmd.exe	140
PID 3296 wrote to memory of 1568	3296	cmd.exe	140
PID 3296 wrote to memory of 1588	3296	cmd.exe	141
PID 3296 wrote to memory of 1588	3296	cmd.exe	141
PID 3296 wrote to memory of 1588	3296	cmd.exe	141
PID 3296 wrote to memory of 1700	3296	cmd.exe	142
PID 3296 wrote to memory of 1700	3296	cmd.exe	142
PID 3296 wrote to memory of 1700	3296	cmd.exe	142
PID 3296 wrote to memory of 1956	3296	cmd.exe	143
PID 3296 wrote to memory of 1956	3296	cmd.exe	143
PID 3296 wrote to memory of 1956	3296	cmd.exe	143
PID 3296 wrote to memory of 3452	3296	cmd.exe	144
PID 3296 wrote to memory of 3452	3296	cmd.exe	144
PID 3296 wrote to memory of 3452	3296	cmd.exe	144
PID 3296 wrote to memory of 3028	3296	cmd.exe	145
PID 3296 wrote to memory of 3028	3296	cmd.exe	145
PID 3296 wrote to memory of 3028	3296	cmd.exe	145
PID 4556 wrote to memory of 3968	4556	oneetx.exe	159
PID 4556 wrote to memory of 3968	4556	oneetx.exe	159
PID 4556 wrote to memory of 3968	4556	oneetx.exe	159

C:\Users\Admin\AppData\Local\Temp\a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe
"C:\Users\Admin\AppData\Local\Temp\a674ee02d6c719ecddb0d9c27e3ca3558b759213c1015fa201bec7c0734f6d4a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLX8196.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLX8196.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEY3560.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEY3560.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it318510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it318510.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr480470.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr480470.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1128
        5⤵
        Program crash
        
        PID:3528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085408.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085408.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr472464.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr472464.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 696
    3⤵
    - Program crash
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 752
    3⤵
    - Program crash
    PID:492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 860
    3⤵
    - Program crash
    PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 952
    3⤵
    - Program crash
    PID:4252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 988
    3⤵
    - Program crash
    PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 988
    3⤵
    - Program crash
    PID:1676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1216
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1232
    3⤵
    - Program crash
    PID:4500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1312
    3⤵
    - Program crash
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 692
      4⤵
      Program crash
      PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 816
      4⤵
      Program crash
      PID:376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 724
      4⤵
      Program crash
      PID:1160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1052
      4⤵
      Program crash
      PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1096
      4⤵
      Program crash
      PID:2600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1120
      4⤵
      Program crash
      PID:4476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1128
      4⤵
      Program crash
      PID:2228
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 992
      4⤵
      Program crash
      PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 768
      4⤵
      Program crash
      PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3452
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1340
      4⤵
      Program crash
      PID:1624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1304
      4⤵
      Program crash
      PID:3260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 988
      4⤵
      Program crash
      PID:692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1312
      4⤵
      Program crash
      PID:4220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1072
      4⤵
      Program crash
      PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1604
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1560
      4⤵
      Program crash
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1620
      4⤵
      Program crash
      PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1564
    3⤵
    - Program crash
    PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3960 -ip 3960
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1212 -ip 1212
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1212 -ip 1212
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1212 -ip 1212
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1212 -ip 1212
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1212 -ip 1212
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1212 -ip 1212
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1212 -ip 1212
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1212 -ip 1212
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1212 -ip 1212
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1212 -ip 1212
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4556 -ip 4556
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4556 -ip 4556
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4556 -ip 4556
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4556 -ip 4556
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4556 -ip 4556
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4556 -ip 4556
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4556 -ip 4556
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4556 -ip 4556
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4556 -ip 4556
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4556 -ip 4556
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4556 -ip 4556
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4556 -ip 4556
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4556 -ip 4556
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4556 -ip 4556
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 316
  2⤵
  - Program crash
  PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5000 -ip 5000
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4556 -ip 4556
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4556 -ip 4556
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4556 -ip 4556
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 316
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2960 -ip 2960
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr472464.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr472464.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLX8196.exe

Filesize
615KB

MD5
b75d1846219141a4c50bd4a9d6e735fa

SHA1
ab85be99786b9ca33ed9e540044a70965ff549cd

SHA256
0dad14ede017585fcdf0440438d69c2006a98de852d599fbeba41b87985a10ec

SHA512
1b0f4478c97f25f04b436fe2b1b39bcacf817aad20b5fef06f645cf1aebff5d09437813b23ca9609ee8925c63f37fd42d48702a5d7f438d17d612269fcaf93e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLX8196.exe

Filesize
615KB

MD5
b75d1846219141a4c50bd4a9d6e735fa

SHA1
ab85be99786b9ca33ed9e540044a70965ff549cd

SHA256
0dad14ede017585fcdf0440438d69c2006a98de852d599fbeba41b87985a10ec

SHA512
1b0f4478c97f25f04b436fe2b1b39bcacf817aad20b5fef06f645cf1aebff5d09437813b23ca9609ee8925c63f37fd42d48702a5d7f438d17d612269fcaf93e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085408.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085408.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEY3560.exe

Filesize
461KB

MD5
65f794fac2ea82c2e1a57dad6236e5a9

SHA1
d10105cd52c6e5e2bfb9245c89d3d1f2efa17a20

SHA256
6a109e4e25a4f9248466a25c1a1446b1271f49eeed8743df5d4cadf1855e6d3a

SHA512
f915f70a2c5918dae3a5225e1265559ede4f48a1dd20ab739d99277c942f03f821f046fcd532bcfe34bac5a6f1e413080571507f9e5c3cecc3ca325a81fc7618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEY3560.exe

Filesize
461KB

MD5
65f794fac2ea82c2e1a57dad6236e5a9

SHA1
d10105cd52c6e5e2bfb9245c89d3d1f2efa17a20

SHA256
6a109e4e25a4f9248466a25c1a1446b1271f49eeed8743df5d4cadf1855e6d3a

SHA512
f915f70a2c5918dae3a5225e1265559ede4f48a1dd20ab739d99277c942f03f821f046fcd532bcfe34bac5a6f1e413080571507f9e5c3cecc3ca325a81fc7618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it318510.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it318510.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr480470.exe

Filesize
472KB

MD5
23fb905462be3b276b9b3718ac8b51d2

SHA1
9299ee9c16a5643d405203da8ce6734b41f550ea

SHA256
db3035ef5b15f4d907ab205bc2aef17a1b4abca78c32111d20a9a62ad700b746

SHA512
fcacd213757ec4ea304a0878054e74ea0f2d8093d801c4be6a89c3b9e59476ac8b52f8f27ff2bdd83acc2ea24cbf931c17a31164212131b9355695907ce1c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr480470.exe

Filesize
472KB

MD5
23fb905462be3b276b9b3718ac8b51d2

SHA1
9299ee9c16a5643d405203da8ce6734b41f550ea

SHA256
db3035ef5b15f4d907ab205bc2aef17a1b4abca78c32111d20a9a62ad700b746

SHA512
fcacd213757ec4ea304a0878054e74ea0f2d8093d801c4be6a89c3b9e59476ac8b52f8f27ff2bdd83acc2ea24cbf931c17a31164212131b9355695907ce1c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
3d8efa9a251b4cbee835850bd5dbdb09

SHA1
80f4c664d04ab10dd1e0e32f800f6f160d11f35e

SHA256
a5843efb0b4e6ac44a8c658fc914a8f14d17810e4ad12d78948ebbc52c9dd125

SHA512
a1dd8db089f16ffa0b782c9cc4e3480d064de616eee31db892d8c56ee8319d5ad4a20ea60d50940c2ffcb93237d532b997712f1a9ac7439266b59a72e7b487e2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1212-982-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1292-976-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/1292-975-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download
memory/3448-154-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/3960-200-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-228-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-182-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-184-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-186-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-188-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-190-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-192-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-196-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-194-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-198-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-178-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-202-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-204-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-206-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-210-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-212-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-214-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-216-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-218-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-220-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-222-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-224-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-226-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-180-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-957-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/3960-958-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3960-959-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3960-960-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3960-961-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3960-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3960-963-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/3960-964-0x0000000008D80000-0x0000000008DF6000-memory.dmp

Filesize
472KB

Download
memory/3960-176-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-174-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-172-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-170-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-168-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-166-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-165-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3960-164-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3960-163-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3960-162-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/3960-161-0x0000000000A80000-0x0000000000AC6000-memory.dmp

Filesize
280KB

Download
memory/3960-160-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/3960-965-0x0000000008E50000-0x0000000009012000-memory.dmp

Filesize
1.8MB

Download
memory/3960-966-0x0000000009030000-0x000000000955C000-memory.dmp

Filesize
5.2MB

Download
memory/3960-967-0x0000000009680000-0x000000000969E000-memory.dmp

Filesize
120KB

Download
memory/3960-968-0x0000000004940000-0x0000000004990000-memory.dmp

Filesize
320KB

Download