c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa

Analysis

max time kernel
144s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 05:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe
Size

936KB
MD5

0e2df0f428f44aca82077dedbfdc0764
SHA1

a6f2b81e34073783d06df9a2480b5536c21f1c32
SHA256

c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa
SHA512

f1b43d492205d475de4a4e41fc58a9530b4bfe51b171474ed8a5556c38b23bcb36c04651605a09921dc2a12c017b0909841732dcb99d01c483925db52acf30d4
SSDEEP

12288:/y90X7JZhir6sZ29nImlYf5OX2k5DVeOQGZD+2F3/2SmLFxDlZN1HUaQoFpb8EsY:/yqlZhirNHQJeOQGj+7bzHJQEpgfoQM

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it681501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it681501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it681501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it681501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it681501.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it681501.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	lr265764.exe

Executes dropped EXE 9 IoCs

pid	Process
4928	ziND5098.exe
2680	ziTN6715.exe
5108	it681501.exe
3496	jr464911.exe
3756	kp145464.exe
4464	lr265764.exe
432	oneetx.exe
4708	oneetx.exe
3744	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4512	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it681501.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziND5098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziTN6715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziTN6715.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziND5098.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
1844	3496	WerFault.exe	87
4128	4464	WerFault.exe	91
2740	4464	WerFault.exe	91
1432	4464	WerFault.exe	91
1888	4464	WerFault.exe	91
332	4464	WerFault.exe	91
4988	4464	WerFault.exe	91
4196	4464	WerFault.exe	91
4996	4464	WerFault.exe	91
5040	4464	WerFault.exe	91
4568	4464	WerFault.exe	91
376	432	WerFault.exe	110
4088	432	WerFault.exe	110
1360	432	WerFault.exe	110
4436	432	WerFault.exe	110
2472	432	WerFault.exe	110
4208	432	WerFault.exe	110
3452	432	WerFault.exe	110
4612	432	WerFault.exe	110
180	432	WerFault.exe	110
3868	432	WerFault.exe	110
3584	432	WerFault.exe	110
1448	432	WerFault.exe	110
3496	432	WerFault.exe	110
2352	4708	WerFault.exe	149
4128	432	WerFault.exe	110
2808	432	WerFault.exe	110
2152	432	WerFault.exe	110
1960	3744	WerFault.exe	159
2820	432	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5108	it681501.exe
5108	it681501.exe
3496	jr464911.exe
3496	jr464911.exe
3756	kp145464.exe
3756	kp145464.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	it681501.exe
Token: SeDebugPrivilege	3496	jr464911.exe
Token: SeDebugPrivilege	3756	kp145464.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4464	lr265764.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4928	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	82
PID 4960 wrote to memory of 4928	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	82
PID 4960 wrote to memory of 4928	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	82
PID 4928 wrote to memory of 2680	4928	ziND5098.exe	83
PID 4928 wrote to memory of 2680	4928	ziND5098.exe	83
PID 4928 wrote to memory of 2680	4928	ziND5098.exe	83
PID 2680 wrote to memory of 5108	2680	ziTN6715.exe	84
PID 2680 wrote to memory of 5108	2680	ziTN6715.exe	84
PID 2680 wrote to memory of 3496	2680	ziTN6715.exe	87
PID 2680 wrote to memory of 3496	2680	ziTN6715.exe	87
PID 2680 wrote to memory of 3496	2680	ziTN6715.exe	87
PID 4928 wrote to memory of 3756	4928	ziND5098.exe	90
PID 4928 wrote to memory of 3756	4928	ziND5098.exe	90
PID 4928 wrote to memory of 3756	4928	ziND5098.exe	90
PID 4960 wrote to memory of 4464	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	91
PID 4960 wrote to memory of 4464	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	91
PID 4960 wrote to memory of 4464	4960	c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe	91
PID 4464 wrote to memory of 432	4464	lr265764.exe	110
PID 4464 wrote to memory of 432	4464	lr265764.exe	110
PID 4464 wrote to memory of 432	4464	lr265764.exe	110
PID 432 wrote to memory of 5108	432	oneetx.exe	127
PID 432 wrote to memory of 5108	432	oneetx.exe	127
PID 432 wrote to memory of 5108	432	oneetx.exe	127
PID 432 wrote to memory of 112	432	oneetx.exe	133
PID 432 wrote to memory of 112	432	oneetx.exe	133
PID 432 wrote to memory of 112	432	oneetx.exe	133
PID 112 wrote to memory of 4072	112	cmd.exe	137
PID 112 wrote to memory of 4072	112	cmd.exe	137
PID 112 wrote to memory of 4072	112	cmd.exe	137
PID 112 wrote to memory of 4604	112	cmd.exe	138
PID 112 wrote to memory of 4604	112	cmd.exe	138
PID 112 wrote to memory of 4604	112	cmd.exe	138
PID 112 wrote to memory of 4696	112	cmd.exe	139
PID 112 wrote to memory of 4696	112	cmd.exe	139
PID 112 wrote to memory of 4696	112	cmd.exe	139
PID 112 wrote to memory of 2556	112	cmd.exe	140
PID 112 wrote to memory of 2556	112	cmd.exe	140
PID 112 wrote to memory of 2556	112	cmd.exe	140
PID 112 wrote to memory of 4456	112	cmd.exe	141
PID 112 wrote to memory of 4456	112	cmd.exe	141
PID 112 wrote to memory of 4456	112	cmd.exe	141
PID 112 wrote to memory of 412	112	cmd.exe	142
PID 112 wrote to memory of 412	112	cmd.exe	142
PID 112 wrote to memory of 412	112	cmd.exe	142
PID 432 wrote to memory of 4512	432	oneetx.exe	156
PID 432 wrote to memory of 4512	432	oneetx.exe	156
PID 432 wrote to memory of 4512	432	oneetx.exe	156

C:\Users\Admin\AppData\Local\Temp\c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe
"C:\Users\Admin\AppData\Local\Temp\c8e5ddad26edd7c0685e5f5fe1ca90a2634b878f8a810b19f960504f8f786cfa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziND5098.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziND5098.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTN6715.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTN6715.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it681501.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it681501.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr464911.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr464911.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1996
        5⤵
        Program crash
        
        PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp145464.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp145464.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr265764.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr265764.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 696
    3⤵
    - Program crash
    PID:4128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 752
    3⤵
    - Program crash
    PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 856
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 952
    3⤵
    - Program crash
    PID:1888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 856
    3⤵
    - Program crash
    PID:332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 976
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1216
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1248
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1320
    3⤵
    - Program crash
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 692
      4⤵
      Program crash
      PID:376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 856
      4⤵
      Program crash
      PID:4088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 848
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1052
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1072
      4⤵
      Program crash
      PID:2472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1088
      4⤵
      Program crash
      PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1128
      4⤵
      Program crash
      PID:3452
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 996
      4⤵
      Program crash
      PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 760
      4⤵
      Program crash
      PID:180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4456
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1276
      4⤵
      Program crash
      PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 132
      4⤵
      Program crash
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 756
      4⤵
      Program crash
      PID:1448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1276
      4⤵
      Program crash
      PID:3496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1052
      4⤵
      Program crash
      PID:4128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1664
      4⤵
      Program crash
      PID:2808
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1072
      4⤵
      Program crash
      PID:2152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1680
      4⤵
      Program crash
      PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1368
    3⤵
    - Program crash
    PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3496 -ip 3496
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4464 -ip 4464
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4464 -ip 4464
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4464 -ip 4464
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4464 -ip 4464
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4464 -ip 4464
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4464 -ip 4464
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4464 -ip 4464
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4464 -ip 4464
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4464 -ip 4464
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4464 -ip 4464
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 432 -ip 432
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 432 -ip 432
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 432 -ip 432
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 432 -ip 432
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 432 -ip 432
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 432 -ip 432
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 432 -ip 432
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 432 -ip 432
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 432 -ip 432
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 432 -ip 432
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 432 -ip 432
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 432 -ip 432
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 432 -ip 432
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 316
  2⤵
  - Program crash
  PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4708 -ip 4708
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 432 -ip 432
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 432 -ip 432
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 432 -ip 432
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 320
  2⤵
  - Program crash
  PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3744 -ip 3744
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 432 -ip 432
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr265764.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr265764.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziND5098.exe

Filesize
623KB

MD5
6ffdfc0c09766d2d32744ff9f642d343

SHA1
a743bf1193ec1a61ea2357a0b5e9af9e6bc87a13

SHA256
ea79a86bb0246da9d93688b3751996410ffb8807cbffb61b879f5f30d75d20df

SHA512
12a6dabb6fa1d7164e232a94e51c75dc0f791322fd930c323254da69b3c9ca7b1f82f4b15a1bfd6db98b3cc61ea9861bf269dc31feddc84b53372f21f00e5a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziND5098.exe

Filesize
623KB

MD5
6ffdfc0c09766d2d32744ff9f642d343

SHA1
a743bf1193ec1a61ea2357a0b5e9af9e6bc87a13

SHA256
ea79a86bb0246da9d93688b3751996410ffb8807cbffb61b879f5f30d75d20df

SHA512
12a6dabb6fa1d7164e232a94e51c75dc0f791322fd930c323254da69b3c9ca7b1f82f4b15a1bfd6db98b3cc61ea9861bf269dc31feddc84b53372f21f00e5a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp145464.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp145464.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTN6715.exe

Filesize
468KB

MD5
f34365128b9297335b0bbce82adaa709

SHA1
2f9f7f54f456d141275c6edeb0afd1e2e7574488

SHA256
486072f54b5dedc4a6375e9f2d198da8d95cd01ea2806d091bb9694ab63445bb

SHA512
14450cfea2e3b451bc2619c3a690e242cfb32a87d5c6622304cf61e80c7628ba81cabb9c2944be0388e8b9eef26815fd1e636a3621b28ee3feb0793a79b862a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTN6715.exe

Filesize
468KB

MD5
f34365128b9297335b0bbce82adaa709

SHA1
2f9f7f54f456d141275c6edeb0afd1e2e7574488

SHA256
486072f54b5dedc4a6375e9f2d198da8d95cd01ea2806d091bb9694ab63445bb

SHA512
14450cfea2e3b451bc2619c3a690e242cfb32a87d5c6622304cf61e80c7628ba81cabb9c2944be0388e8b9eef26815fd1e636a3621b28ee3feb0793a79b862a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it681501.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it681501.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr464911.exe

Filesize
485KB

MD5
cda376da781311c222227b0e757ba0b3

SHA1
b179f888423185ec92d88f802a4a89cdab1f5eb9

SHA256
cbff43ed3a086b49386857711feec3936a5c05a4f714b4dee2f32f60f7a64e92

SHA512
a6a899d70ce9123017997ac3021a462952c42f045fbe632be056845046810c00832dfd02563fdd3b5d7576555ab56b3606835ef55bb2ccf16cce2582a1dbd12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr464911.exe

Filesize
485KB

MD5
cda376da781311c222227b0e757ba0b3

SHA1
b179f888423185ec92d88f802a4a89cdab1f5eb9

SHA256
cbff43ed3a086b49386857711feec3936a5c05a4f714b4dee2f32f60f7a64e92

SHA512
a6a899d70ce9123017997ac3021a462952c42f045fbe632be056845046810c00832dfd02563fdd3b5d7576555ab56b3606835ef55bb2ccf16cce2582a1dbd12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
381KB

MD5
a7c43b1fcea0fe1d070970e2235ba405

SHA1
d35bb1378f4cef3b1a0a3b0269046620c2f6410d

SHA256
e74701c173549592d2a9f47f7537a22a4cbe8f2016c371f2d6c6568f38fb69c3

SHA512
3269f1f672e72d16467fde9ad20787250648471b922e164bc9b4717c5fd8667c4c430ddd0c70054f4c74417750d3f433c581fc683adba22164a3a7c38a7794f6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3496-206-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-957-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/3496-176-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-178-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-180-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-182-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-184-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-186-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-188-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-190-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-192-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-194-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-196-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-198-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-200-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-202-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-204-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-172-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-208-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-210-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-212-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-214-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-216-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-218-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-220-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-222-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-224-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-226-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-228-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-174-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-958-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/3496-959-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/3496-960-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3496-961-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3496-963-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/3496-964-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/3496-965-0x0000000008BE0000-0x0000000008BFE000-memory.dmp

Filesize
120KB

Download
memory/3496-966-0x0000000008C80000-0x0000000008CD0000-memory.dmp

Filesize
320KB

Download
memory/3496-967-0x0000000009000000-0x00000000091C2000-memory.dmp

Filesize
1.8MB

Download
memory/3496-968-0x00000000091E0000-0x000000000970C000-memory.dmp

Filesize
5.2MB

Download
memory/3496-971-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-972-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-973-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-160-0x0000000000B90000-0x0000000000BD6000-memory.dmp

Filesize
280KB

Download
memory/3496-161-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-163-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/3496-170-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-168-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-166-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-165-0x00000000028D0000-0x0000000002905000-memory.dmp

Filesize
212KB

Download
memory/3496-164-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3496-162-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3756-979-0x00000000074B0000-0x00000000074C0000-memory.dmp

Filesize
64KB

Download
memory/3756-978-0x0000000000730000-0x0000000000758000-memory.dmp

Filesize
160KB

Download
memory/4464-985-0x0000000000A70000-0x0000000000AA5000-memory.dmp

Filesize
212KB

Download
memory/5108-154-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download