d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035

Analysis

max time kernel
143s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe
Size

936KB
MD5

9903dd89794fdf8444ac4d8af3a001ba
SHA1

a9f1ff7f86778382d45f940a3cbfd5a7c6dfe87b
SHA256

d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035
SHA512

bf0ca839461b5571fdfd780a039f7cfe43ce6b0db3eba3584880a7c8a12fc2bfbf9a85b245f5e06137d2a1ae179479b07dbb4d04e4ee50bdc378d10e62cfbb12
SSDEEP

12288:Uy90O0YgstBQ/C41aKjigUvDUjrx/x9mAl8C9+P0+VM/d8OCfsX5is34mEAwJmFj:UyQ2zTkrr9m45kP1Vgd8HfsXdKJmuw

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it511539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it511539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it511539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it511539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it511539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it511539.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	lr374333.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1760	zifX2396.exe
4800	ziTg7334.exe
1684	it511539.exe
1744	jr518635.exe
4604	kp409437.exe
1880	lr374333.exe
3648	oneetx.exe
3240	oneetx.exe
5020	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
524	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it511539.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zifX2396.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zifX2396.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziTg7334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziTg7334.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4456	1744	WerFault.exe	90
4884	1880	WerFault.exe	94
3056	1880	WerFault.exe	94
3932	1880	WerFault.exe	94
2656	1880	WerFault.exe	94
2152	1880	WerFault.exe	94
3812	1880	WerFault.exe	94
3692	1880	WerFault.exe	94
1108	1880	WerFault.exe	94
2488	1880	WerFault.exe	94
4568	1880	WerFault.exe	94
1556	3648	WerFault.exe	114
4308	3648	WerFault.exe	114
3496	3648	WerFault.exe	114
1612	3648	WerFault.exe	114
4832	3648	WerFault.exe	114
1336	3648	WerFault.exe	114
384	3648	WerFault.exe	114
2792	3648	WerFault.exe	114
1704	3648	WerFault.exe	114
2864	3648	WerFault.exe	114
1124	3648	WerFault.exe	114
3368	3648	WerFault.exe	114
2788	3648	WerFault.exe	114
3932	3648	WerFault.exe	114
4992	3240	WerFault.exe	159
4520	3648	WerFault.exe	114
1220	3648	WerFault.exe	114
2412	3648	WerFault.exe	114
980	5020	WerFault.exe	169

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1684	it511539.exe
1684	it511539.exe
1744	jr518635.exe
1744	jr518635.exe
4604	kp409437.exe
4604	kp409437.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	it511539.exe
Token: SeDebugPrivilege	1744	jr518635.exe
Token: SeDebugPrivilege	4604	kp409437.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1880	lr374333.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1760	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	84
PID 2276 wrote to memory of 1760	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	84
PID 2276 wrote to memory of 1760	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	84
PID 1760 wrote to memory of 4800	1760	zifX2396.exe	85
PID 1760 wrote to memory of 4800	1760	zifX2396.exe	85
PID 1760 wrote to memory of 4800	1760	zifX2396.exe	85
PID 4800 wrote to memory of 1684	4800	ziTg7334.exe	86
PID 4800 wrote to memory of 1684	4800	ziTg7334.exe	86
PID 4800 wrote to memory of 1744	4800	ziTg7334.exe	90
PID 4800 wrote to memory of 1744	4800	ziTg7334.exe	90
PID 4800 wrote to memory of 1744	4800	ziTg7334.exe	90
PID 1760 wrote to memory of 4604	1760	zifX2396.exe	93
PID 1760 wrote to memory of 4604	1760	zifX2396.exe	93
PID 1760 wrote to memory of 4604	1760	zifX2396.exe	93
PID 2276 wrote to memory of 1880	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	94
PID 2276 wrote to memory of 1880	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	94
PID 2276 wrote to memory of 1880	2276	d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe	94
PID 1880 wrote to memory of 3648	1880	lr374333.exe	114
PID 1880 wrote to memory of 3648	1880	lr374333.exe	114
PID 1880 wrote to memory of 3648	1880	lr374333.exe	114
PID 3648 wrote to memory of 4200	3648	oneetx.exe	132
PID 3648 wrote to memory of 4200	3648	oneetx.exe	132
PID 3648 wrote to memory of 4200	3648	oneetx.exe	132
PID 3648 wrote to memory of 3440	3648	oneetx.exe	140
PID 3648 wrote to memory of 3440	3648	oneetx.exe	140
PID 3648 wrote to memory of 3440	3648	oneetx.exe	140
PID 3440 wrote to memory of 888	3440	cmd.exe	144
PID 3440 wrote to memory of 888	3440	cmd.exe	144
PID 3440 wrote to memory of 888	3440	cmd.exe	144
PID 3440 wrote to memory of 3808	3440	cmd.exe	145
PID 3440 wrote to memory of 3808	3440	cmd.exe	145
PID 3440 wrote to memory of 3808	3440	cmd.exe	145
PID 3440 wrote to memory of 1516	3440	cmd.exe	146
PID 3440 wrote to memory of 1516	3440	cmd.exe	146
PID 3440 wrote to memory of 1516	3440	cmd.exe	146
PID 3440 wrote to memory of 1676	3440	cmd.exe	148
PID 3440 wrote to memory of 1676	3440	cmd.exe	148
PID 3440 wrote to memory of 1676	3440	cmd.exe	148
PID 3440 wrote to memory of 1964	3440	cmd.exe	147
PID 3440 wrote to memory of 1964	3440	cmd.exe	147
PID 3440 wrote to memory of 1964	3440	cmd.exe	147
PID 3440 wrote to memory of 3632	3440	cmd.exe	149
PID 3440 wrote to memory of 3632	3440	cmd.exe	149
PID 3440 wrote to memory of 3632	3440	cmd.exe	149
PID 3648 wrote to memory of 524	3648	oneetx.exe	164
PID 3648 wrote to memory of 524	3648	oneetx.exe	164
PID 3648 wrote to memory of 524	3648	oneetx.exe	164

C:\Users\Admin\AppData\Local\Temp\d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe
"C:\Users\Admin\AppData\Local\Temp\d17d0b57a6a3bd38015cca851b78f920e270aca5d8cfef342e46bbfab5318035.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifX2396.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifX2396.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTg7334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTg7334.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it511539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it511539.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr518635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr518635.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1332
        5⤵
        Program crash
        
        PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp409437.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp409437.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr374333.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr374333.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 696
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 772
    3⤵
    - Program crash
    PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 796
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 804
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 808
    3⤵
    - Program crash
    PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 968
    3⤵
    - Program crash
    PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1216
    3⤵
    - Program crash
    PID:3692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1240
    3⤵
    - Program crash
    PID:1108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1316
    3⤵
    - Program crash
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 692
      4⤵
      Program crash
      PID:1556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 828
      4⤵
      Program crash
      PID:4308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 892
      4⤵
      Program crash
      PID:3496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1052
      4⤵
      Program crash
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1060
      4⤵
      Program crash
      PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1060
      4⤵
      Program crash
      PID:1336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1064
      4⤵
      Program crash
      PID:384
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 992
      4⤵
      Program crash
      PID:2792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 728
      4⤵
      Program crash
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3808
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1292
      4⤵
      Program crash
      PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1260
      4⤵
      Program crash
      PID:1124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 788
      4⤵
      Program crash
      PID:3368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 744
      4⤵
      Program crash
      PID:2788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1108
      4⤵
      Program crash
      PID:3932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1564
      4⤵
      Program crash
      PID:4520
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1108
      4⤵
      Program crash
      PID:1220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1636
      4⤵
      Program crash
      PID:2412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1364
    3⤵
    - Program crash
    PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1744 -ip 1744
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1880 -ip 1880
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1880 -ip 1880
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1880 -ip 1880
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1880 -ip 1880
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1880 -ip 1880
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1880 -ip 1880
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1880 -ip 1880
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1880 -ip 1880
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1880 -ip 1880
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1880 -ip 1880
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3648 -ip 3648
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3648 -ip 3648
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3648 -ip 3648
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3648 -ip 3648
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3648 -ip 3648
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3648 -ip 3648
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3648 -ip 3648
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3648 -ip 3648
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3648 -ip 3648
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3648 -ip 3648
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3648 -ip 3648
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3648 -ip 3648
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3648 -ip 3648
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3648 -ip 3648
1⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 316
  2⤵
  - Program crash
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3240 -ip 3240
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3648 -ip 3648
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3648 -ip 3648
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3648 -ip 3648
1⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 320
  2⤵
  - Program crash
  PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr374333.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr374333.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifX2396.exe

Filesize
623KB

MD5
618270d7628958d6af5ad8097a44ddca

SHA1
92521168ba9d5f804d10a79eac31ae30b6e499c2

SHA256
39676ccd8a2324bd3f3d884ccfb7bc7ecfd8e77910c35a6d73bf4c83c32b06bf

SHA512
f713092a3c3b5b647df99af0a209f0a8d306577e9afeaa4aec43b3f486a892043e71b8458f5bb4299788ff4dbe5a18eb8f9d03f734d9a26c934a54414e9c329a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifX2396.exe

Filesize
623KB

MD5
618270d7628958d6af5ad8097a44ddca

SHA1
92521168ba9d5f804d10a79eac31ae30b6e499c2

SHA256
39676ccd8a2324bd3f3d884ccfb7bc7ecfd8e77910c35a6d73bf4c83c32b06bf

SHA512
f713092a3c3b5b647df99af0a209f0a8d306577e9afeaa4aec43b3f486a892043e71b8458f5bb4299788ff4dbe5a18eb8f9d03f734d9a26c934a54414e9c329a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp409437.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp409437.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTg7334.exe

Filesize
468KB

MD5
ab06c3f010e0edfb5bcc35256285efc5

SHA1
35da3566a43e9dfb509e23ae53c5177aec542495

SHA256
4867ce1448acd8afe3d7232bc4c0e833b65dca09ce8656bfafab28cd09779150

SHA512
8754ff28cea48ec8d853d42d0be56366b0c01e188e59d2b1718cd7ed5a89bf9a4202c7ceb376a93261557a056d38957dc1d479bff056e6cb1cc1fe65d1265d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziTg7334.exe

Filesize
468KB

MD5
ab06c3f010e0edfb5bcc35256285efc5

SHA1
35da3566a43e9dfb509e23ae53c5177aec542495

SHA256
4867ce1448acd8afe3d7232bc4c0e833b65dca09ce8656bfafab28cd09779150

SHA512
8754ff28cea48ec8d853d42d0be56366b0c01e188e59d2b1718cd7ed5a89bf9a4202c7ceb376a93261557a056d38957dc1d479bff056e6cb1cc1fe65d1265d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it511539.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it511539.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr518635.exe

Filesize
488KB

MD5
0efb3fd93078f232a8eca921813c108c

SHA1
35bbe98eee311d222618354e2442b94b592b0804

SHA256
d57e9cfba3f3b87267276bdff254179c6c180f0d6b6eaeb200bdec56f002df26

SHA512
9a625353c23f9a4dcb578ebd8e7ca913a84cb364966bad4923a0a90843ee86a2fd5f08053fbd18475af7a3d9988ae9596053164ddaa24fe47c711bbb7491ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr518635.exe

Filesize
488KB

MD5
0efb3fd93078f232a8eca921813c108c

SHA1
35bbe98eee311d222618354e2442b94b592b0804

SHA256
d57e9cfba3f3b87267276bdff254179c6c180f0d6b6eaeb200bdec56f002df26

SHA512
9a625353c23f9a4dcb578ebd8e7ca913a84cb364966bad4923a0a90843ee86a2fd5f08053fbd18475af7a3d9988ae9596053164ddaa24fe47c711bbb7491ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
870823f255a0b2e73bbd3d124034f617

SHA1
68293b0adb7cea93e72b8f503530a90bd1f3a077

SHA256
4e5884019e07f8d8868a9ee3deb3c643453507dcc0475b2d2a2eacf38fbbbd15

SHA512
e7f0b817426d733bc3b379801e4e5d3bff7afc49fe1b4c1a03bd0aa1febd6644df94168476f4b169575764730453f209dd6d655c9968c2c5a717b9b271ef95da

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1684-154-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/1744-200-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-226-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-176-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-178-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-180-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-184-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-182-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-186-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-188-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-190-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-192-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-194-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-196-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-198-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-172-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-202-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-204-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-206-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-208-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-210-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-212-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-214-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-216-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-218-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-220-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-222-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-224-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-174-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-228-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-957-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/1744-958-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1744-959-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1744-960-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1744-961-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1744-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/1744-963-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/1744-964-0x0000000008B30000-0x0000000008B80000-memory.dmp

Filesize
320KB

Download
memory/1744-965-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/1744-966-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/1744-967-0x0000000008D50000-0x0000000008F12000-memory.dmp

Filesize
1.8MB

Download
memory/1744-968-0x0000000008F20000-0x000000000944C000-memory.dmp

Filesize
5.2MB

Download
memory/1744-160-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/1744-170-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-168-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-166-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-165-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/1744-164-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1744-163-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1744-162-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1744-161-0x0000000002470000-0x00000000024B6000-memory.dmp

Filesize
280KB

Download
memory/1880-982-0x0000000000B70000-0x0000000000BA5000-memory.dmp

Filesize
212KB

Download
memory/4604-975-0x0000000000370000-0x0000000000398000-memory.dmp

Filesize
160KB

Download
memory/4604-976-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download