8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 18:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe
Size

1.1MB
MD5

d22b5140741ed872b0f6071e78a2cc8d
SHA1

b8a62411a2751241e013aa0f8d34e931bbae2054
SHA256

8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b
SHA512

4641c2e2ffc89febf6ba8e1c107e4dd415d5121f39942ab9d3ea149b33507720921656d2319c519a64feceb80df626388400c9285d13ac8e04898e009ff7dfe0
SSDEEP

24576:pyap+7jDzBHA4jRvFYljA/ecYFyfMGvEd8/D+h:cap+7jBHA4DYJJB/2Ed8/

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr568776.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	si744793.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
636	un167519.exe
3472	un685243.exe
4080	pr568776.exe
1220	qu574281.exe
2808	rk390215.exe
1788	si744793.exe
992	oneetx.exe
3492	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4220	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr568776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr568776.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un167519.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un167519.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un685243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un685243.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4744	4080	WerFault.exe	78
3424	1220	WerFault.exe	87
2460	1788	WerFault.exe	92
3892	1788	WerFault.exe	92
4028	1788	WerFault.exe	92
4744	1788	WerFault.exe	92
1292	1788	WerFault.exe	92
2004	1788	WerFault.exe	92
4696	1788	WerFault.exe	92
1260	1788	WerFault.exe	92
812	1788	WerFault.exe	92
4180	1788	WerFault.exe	92
228	992	WerFault.exe	111
1540	992	WerFault.exe	111
4212	992	WerFault.exe	111
2728	992	WerFault.exe	111
4192	992	WerFault.exe	111
2608	992	WerFault.exe	111
2208	992	WerFault.exe	111
2196	992	WerFault.exe	111
4388	992	WerFault.exe	111
1796	992	WerFault.exe	111
3744	992	WerFault.exe	111
3936	992	WerFault.exe	111
1480	992	WerFault.exe	111
1840	992	WerFault.exe	111
2808	992	WerFault.exe	111
1324	3492	WerFault.exe	156
4768	992	WerFault.exe	111
4080	992	WerFault.exe	111

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4080	pr568776.exe
4080	pr568776.exe
1220	qu574281.exe
1220	qu574281.exe
2808	rk390215.exe
2808	rk390215.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	pr568776.exe
Token: SeDebugPrivilege	1220	qu574281.exe
Token: SeDebugPrivilege	2808	rk390215.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1788	si744793.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 636	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	76
PID 2916 wrote to memory of 636	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	76
PID 2916 wrote to memory of 636	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	76
PID 636 wrote to memory of 3472	636	un167519.exe	77
PID 636 wrote to memory of 3472	636	un167519.exe	77
PID 636 wrote to memory of 3472	636	un167519.exe	77
PID 3472 wrote to memory of 4080	3472	un685243.exe	78
PID 3472 wrote to memory of 4080	3472	un685243.exe	78
PID 3472 wrote to memory of 4080	3472	un685243.exe	78
PID 3472 wrote to memory of 1220	3472	un685243.exe	87
PID 3472 wrote to memory of 1220	3472	un685243.exe	87
PID 3472 wrote to memory of 1220	3472	un685243.exe	87
PID 636 wrote to memory of 2808	636	un167519.exe	91
PID 636 wrote to memory of 2808	636	un167519.exe	91
PID 636 wrote to memory of 2808	636	un167519.exe	91
PID 2916 wrote to memory of 1788	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	92
PID 2916 wrote to memory of 1788	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	92
PID 2916 wrote to memory of 1788	2916	8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe	92
PID 1788 wrote to memory of 992	1788	si744793.exe	111
PID 1788 wrote to memory of 992	1788	si744793.exe	111
PID 1788 wrote to memory of 992	1788	si744793.exe	111
PID 992 wrote to memory of 4408	992	oneetx.exe	132
PID 992 wrote to memory of 4408	992	oneetx.exe	132
PID 992 wrote to memory of 4408	992	oneetx.exe	132
PID 992 wrote to memory of 1932	992	oneetx.exe	138
PID 992 wrote to memory of 1932	992	oneetx.exe	138
PID 992 wrote to memory of 1932	992	oneetx.exe	138
PID 1932 wrote to memory of 1084	1932	cmd.exe	143
PID 1932 wrote to memory of 1084	1932	cmd.exe	143
PID 1932 wrote to memory of 1084	1932	cmd.exe	143
PID 1932 wrote to memory of 4188	1932	cmd.exe	142
PID 1932 wrote to memory of 4188	1932	cmd.exe	142
PID 1932 wrote to memory of 4188	1932	cmd.exe	142
PID 1932 wrote to memory of 1656	1932	cmd.exe	144
PID 1932 wrote to memory of 1656	1932	cmd.exe	144
PID 1932 wrote to memory of 1656	1932	cmd.exe	144
PID 1932 wrote to memory of 3076	1932	cmd.exe	145
PID 1932 wrote to memory of 3076	1932	cmd.exe	145
PID 1932 wrote to memory of 3076	1932	cmd.exe	145
PID 1932 wrote to memory of 492	1932	cmd.exe	146
PID 1932 wrote to memory of 492	1932	cmd.exe	146
PID 1932 wrote to memory of 492	1932	cmd.exe	146
PID 1932 wrote to memory of 2404	1932	cmd.exe	147
PID 1932 wrote to memory of 2404	1932	cmd.exe	147
PID 1932 wrote to memory of 2404	1932	cmd.exe	147
PID 992 wrote to memory of 4220	992	oneetx.exe	161
PID 992 wrote to memory of 4220	992	oneetx.exe	161
PID 992 wrote to memory of 4220	992	oneetx.exe	161

C:\Users\Admin\AppData\Local\Temp\8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe
"C:\Users\Admin\AppData\Local\Temp\8862e1a9b14397b3ce940e74526f829a2612a89adba28ac6964484f94b36406b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un167519.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un167519.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un685243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un685243.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr568776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr568776.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1084
        5⤵
        Program crash
        
        PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu574281.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu574281.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1920
        5⤵
        Program crash
        
        PID:3424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk390215.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk390215.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si744793.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si744793.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 696
    3⤵
    - Program crash
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 784
    3⤵
    - Program crash
    PID:3892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 816
    3⤵
    - Program crash
    PID:4028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 864
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 984
    3⤵
    - Program crash
    PID:1292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 984
    3⤵
    - Program crash
    PID:2004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1224
    3⤵
    - Program crash
    PID:4696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1268
    3⤵
    - Program crash
    PID:1260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1320
    3⤵
    - Program crash
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 692
      4⤵
      Program crash
      PID:228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 828
      4⤵
      Program crash
      PID:1540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 892
      4⤵
      Program crash
      PID:4212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1052
      4⤵
      Program crash
      PID:2728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1072
      4⤵
      Program crash
      PID:4192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1088
      4⤵
      Program crash
      PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1092
      4⤵
      Program crash
      PID:2208
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 832
      4⤵
      Program crash
      PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 764
      4⤵
      Program crash
      PID:4388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:492
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1344
      4⤵
      Program crash
      PID:1796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 684
      4⤵
      Program crash
      PID:3744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1308
      4⤵
      Program crash
      PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1292
      4⤵
      Program crash
      PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1136
      4⤵
      Program crash
      PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1668
      4⤵
      Program crash
      PID:2808
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 828
      4⤵
      Program crash
      PID:4768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1684
      4⤵
      Program crash
      PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1332
    3⤵
    - Program crash
    PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 4080
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1220 -ip 1220
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1788 -ip 1788
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1788 -ip 1788
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1788 -ip 1788
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1788 -ip 1788
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1788 -ip 1788
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1788 -ip 1788
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1788 -ip 1788
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1788 -ip 1788
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1788 -ip 1788
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1788 -ip 1788
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 992 -ip 992
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 992 -ip 992
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 992
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 992 -ip 992
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 992 -ip 992
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 992 -ip 992
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 992 -ip 992
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 992 -ip 992
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 992 -ip 992
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 992 -ip 992
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 992 -ip 992
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 312
  2⤵
  - Program crash
  PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 992 -ip 992
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3492 -ip 3492
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 992 -ip 992
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 992 -ip 992
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si744793.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si744793.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un167519.exe

Filesize
765KB

MD5
dbb318400d9e3c9cd3a1f67d309ee15a

SHA1
997dd881bd913da52d32451cb8d4dac77cb2097e

SHA256
5326c772f4ca8ec6b5e5e28bb9052d7d98610a0b8b1184c2246666c91e7deda9

SHA512
b65d730d497faaf803ba61c145317d342eee61f3ca6bf1f94d957f14cb5e20a2ea5936d32dfb511c80f3e28f6ad442a26bb15ac3a16cc728d0743829a58a00bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un167519.exe

Filesize
765KB

MD5
dbb318400d9e3c9cd3a1f67d309ee15a

SHA1
997dd881bd913da52d32451cb8d4dac77cb2097e

SHA256
5326c772f4ca8ec6b5e5e28bb9052d7d98610a0b8b1184c2246666c91e7deda9

SHA512
b65d730d497faaf803ba61c145317d342eee61f3ca6bf1f94d957f14cb5e20a2ea5936d32dfb511c80f3e28f6ad442a26bb15ac3a16cc728d0743829a58a00bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk390215.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk390215.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un685243.exe

Filesize
610KB

MD5
a4659b0326479f463d2ad39714631153

SHA1
ea84208c0445a6d3e7071342d03cf94cb031a3c1

SHA256
da925d1b2304b2a19e11a6f1c7fd7a0c5ecd557a7bbade7f6308fad0ca303f2f

SHA512
58817ebe9bb2a6321def668298ae602f48945e32a9b60585015c8061905c94d0a5b6092dd7c674077e59096a1ce3bde3d11475957abb34e135631353bc286608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un685243.exe

Filesize
610KB

MD5
a4659b0326479f463d2ad39714631153

SHA1
ea84208c0445a6d3e7071342d03cf94cb031a3c1

SHA256
da925d1b2304b2a19e11a6f1c7fd7a0c5ecd557a7bbade7f6308fad0ca303f2f

SHA512
58817ebe9bb2a6321def668298ae602f48945e32a9b60585015c8061905c94d0a5b6092dd7c674077e59096a1ce3bde3d11475957abb34e135631353bc286608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr568776.exe

Filesize
405KB

MD5
52502b249183ef97fec5c56393acad56

SHA1
2d2422d294e4ecfa554897d0fe2fe3e35cd25425

SHA256
efc5550b5ed36cd2d182d39b7a779f3279c85e1616410ad331d0ba34bf5dcc95

SHA512
805484848588682bf6fe3c0d3607c80195dcda5edd819a70fceeb094bbca2105ec7b3e21b4026f4c225e012e441000c3d5b24579cc094fa922d57951ec737273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr568776.exe

Filesize
405KB

MD5
52502b249183ef97fec5c56393acad56

SHA1
2d2422d294e4ecfa554897d0fe2fe3e35cd25425

SHA256
efc5550b5ed36cd2d182d39b7a779f3279c85e1616410ad331d0ba34bf5dcc95

SHA512
805484848588682bf6fe3c0d3607c80195dcda5edd819a70fceeb094bbca2105ec7b3e21b4026f4c225e012e441000c3d5b24579cc094fa922d57951ec737273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu574281.exe

Filesize
488KB

MD5
3968571689f63d991b1b6a7985fad1da

SHA1
e80ab3b0af3d33cad4921ca07e7741a22b250d3b

SHA256
2eedb09fbb13e7b2230ac3d1ef9b2f2e100a8eb1a190f39d6729311e77bc399f

SHA512
3e95157dffb0e6af0bc2a3bfd4067e2716f46b458c3ddee229c3dc16f9e2bf923138d8096dd535f2b639859494e4262cec2c9f1d2db899570d47304548e789f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu574281.exe

Filesize
488KB

MD5
3968571689f63d991b1b6a7985fad1da

SHA1
e80ab3b0af3d33cad4921ca07e7741a22b250d3b

SHA256
2eedb09fbb13e7b2230ac3d1ef9b2f2e100a8eb1a190f39d6729311e77bc399f

SHA512
3e95157dffb0e6af0bc2a3bfd4067e2716f46b458c3ddee229c3dc16f9e2bf923138d8096dd535f2b639859494e4262cec2c9f1d2db899570d47304548e789f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
384KB

MD5
735218a2441688b622a90064b53ae618

SHA1
cb436ae6d36aaeaad4267fca4273cf4df4eaba9d

SHA256
f3496e9b272d3eabe52b47012cc40e8c58acc57f164afc77fceb10c7e01ce775

SHA512
6ab90749647507dc97196a4739a4690d727808ad1f5530a3070da56264cec3fa7c527507931f4450896a0cc007306ed957ac38347cb040c31d6548bccffc4723

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1220-999-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/1220-615-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/1220-1005-0x0000000009580000-0x000000000959E000-memory.dmp

Filesize
120KB

Download
memory/1220-1004-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/1220-1003-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/1220-1002-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/1220-1001-0x0000000008B30000-0x0000000008B80000-memory.dmp

Filesize
320KB

Download
memory/1220-1000-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/1220-998-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1220-997-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1220-996-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1220-995-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/1220-994-0x0000000007970000-0x0000000007F88000-memory.dmp

Filesize
6.1MB

Download
memory/1220-198-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-199-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-201-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-203-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-205-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-207-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-209-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-211-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-213-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-215-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-217-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-219-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-221-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-223-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-225-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-227-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-229-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-231-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/1220-619-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1220-616-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1220-618-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1788-1018-0x0000000000960000-0x0000000000995000-memory.dmp

Filesize
212KB

Download
memory/2808-1011-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/2808-1012-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/4080-169-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-177-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-190-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-175-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-189-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4080-187-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-185-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-183-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-181-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-171-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-179-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-193-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4080-191-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-167-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-165-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-173-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-163-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-161-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-160-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4080-159-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-157-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-156-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4080-158-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4080-155-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download