43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506

Analysis

max time kernel
141s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe
Size

939KB
MD5

6ee3c0815786632c0ef14c77bf451e3e
SHA1

bfee233a8c22df5b8cea200b5d29b4ed956b83af
SHA256

43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506
SHA512

4599bb68d6c444c6ea499a476dabe472751d61f582db5b2354e98768734635b69ae6cd0a4bb783325eb0a5cfbe89fbe4995798e026797892f3795137915165af
SSDEEP

12288:vy90oOwpQu8nuxlJ6dsUBosij8OynxICpAglzLHPyVdU5tdy7WhWcuYuOA+:vyUw788lJEs5sFxfqgtKVdU5zAsuYdH

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it603936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it603936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it603936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it603936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it603936.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it603936.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lr036017.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4512	ziYS5006.exe
3080	ziEy1425.exe
5104	it603936.exe
4548	jr777246.exe
324	kp205303.exe
1124	lr036017.exe
1552	oneetx.exe
3268	oneetx.exe
2064	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3584	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it603936.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziYS5006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziYS5006.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEy1425.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziEy1425.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1612	4548	WerFault.exe	88
3856	1124	WerFault.exe	92
3732	1124	WerFault.exe	92
4068	1124	WerFault.exe	92
764	1124	WerFault.exe	92
3728	1124	WerFault.exe	92
2780	1124	WerFault.exe	92
3132	1124	WerFault.exe	92
2396	1124	WerFault.exe	92
2944	1124	WerFault.exe	92
1368	1124	WerFault.exe	92
4492	1552	WerFault.exe	112
5036	1552	WerFault.exe	112
5060	1552	WerFault.exe	112
3340	1552	WerFault.exe	112
2328	1552	WerFault.exe	112
3920	1552	WerFault.exe	112
4468	1552	WerFault.exe	112
396	1552	WerFault.exe	112
468	1552	WerFault.exe	112
2032	1552	WerFault.exe	112
3388	1552	WerFault.exe	112
3156	1552	WerFault.exe	112
5116	1552	WerFault.exe	112
2608	1552	WerFault.exe	112
352	3268	WerFault.exe	153
8	1552	WerFault.exe	112
3408	1552	WerFault.exe	112
2416	1552	WerFault.exe	112
1640	1552	WerFault.exe	112
2964	2064	WerFault.exe	165

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	it603936.exe
5104	it603936.exe
4548	jr777246.exe
4548	jr777246.exe
324	kp205303.exe
324	kp205303.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	it603936.exe
Token: SeDebugPrivilege	4548	jr777246.exe
Token: SeDebugPrivilege	324	kp205303.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1124	lr036017.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4512	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	85
PID 3824 wrote to memory of 4512	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	85
PID 3824 wrote to memory of 4512	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	85
PID 4512 wrote to memory of 3080	4512	ziYS5006.exe	86
PID 4512 wrote to memory of 3080	4512	ziYS5006.exe	86
PID 4512 wrote to memory of 3080	4512	ziYS5006.exe	86
PID 3080 wrote to memory of 5104	3080	ziEy1425.exe	87
PID 3080 wrote to memory of 5104	3080	ziEy1425.exe	87
PID 3080 wrote to memory of 4548	3080	ziEy1425.exe	88
PID 3080 wrote to memory of 4548	3080	ziEy1425.exe	88
PID 3080 wrote to memory of 4548	3080	ziEy1425.exe	88
PID 4512 wrote to memory of 324	4512	ziYS5006.exe	91
PID 4512 wrote to memory of 324	4512	ziYS5006.exe	91
PID 4512 wrote to memory of 324	4512	ziYS5006.exe	91
PID 3824 wrote to memory of 1124	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	92
PID 3824 wrote to memory of 1124	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	92
PID 3824 wrote to memory of 1124	3824	43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe	92
PID 1124 wrote to memory of 1552	1124	lr036017.exe	112
PID 1124 wrote to memory of 1552	1124	lr036017.exe	112
PID 1124 wrote to memory of 1552	1124	lr036017.exe	112
PID 1552 wrote to memory of 2476	1552	oneetx.exe	131
PID 1552 wrote to memory of 2476	1552	oneetx.exe	131
PID 1552 wrote to memory of 2476	1552	oneetx.exe	131
PID 1552 wrote to memory of 2580	1552	oneetx.exe	137
PID 1552 wrote to memory of 2580	1552	oneetx.exe	137
PID 1552 wrote to memory of 2580	1552	oneetx.exe	137
PID 2580 wrote to memory of 3472	2580	cmd.exe	142
PID 2580 wrote to memory of 3472	2580	cmd.exe	142
PID 2580 wrote to memory of 3472	2580	cmd.exe	142
PID 2580 wrote to memory of 4236	2580	cmd.exe	141
PID 2580 wrote to memory of 4236	2580	cmd.exe	141
PID 2580 wrote to memory of 4236	2580	cmd.exe	141
PID 2580 wrote to memory of 3384	2580	cmd.exe	143
PID 2580 wrote to memory of 3384	2580	cmd.exe	143
PID 2580 wrote to memory of 3384	2580	cmd.exe	143
PID 2580 wrote to memory of 3284	2580	cmd.exe	144
PID 2580 wrote to memory of 3284	2580	cmd.exe	144
PID 2580 wrote to memory of 3284	2580	cmd.exe	144
PID 2580 wrote to memory of 3088	2580	cmd.exe	145
PID 2580 wrote to memory of 3088	2580	cmd.exe	145
PID 2580 wrote to memory of 3088	2580	cmd.exe	145
PID 2580 wrote to memory of 2896	2580	cmd.exe	146
PID 2580 wrote to memory of 2896	2580	cmd.exe	146
PID 2580 wrote to memory of 2896	2580	cmd.exe	146
PID 1552 wrote to memory of 3584	1552	oneetx.exe	160
PID 1552 wrote to memory of 3584	1552	oneetx.exe	160
PID 1552 wrote to memory of 3584	1552	oneetx.exe	160

C:\Users\Admin\AppData\Local\Temp\43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe
"C:\Users\Admin\AppData\Local\Temp\43b3e52d38e88c5bb07555ae690110d04b1d44d4d76433a3fd370e36d2850506.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYS5006.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYS5006.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEy1425.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEy1425.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603936.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr777246.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr777246.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1328
        5⤵
        Program crash
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp205303.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp205303.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr036017.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr036017.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 696
    3⤵
    - Program crash
    PID:3856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 780
    3⤵
    - Program crash
    PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 796
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 968
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 964
    3⤵
    - Program crash
    PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 796
    3⤵
    - Program crash
    PID:2780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1208
    3⤵
    - Program crash
    PID:3132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1228
    3⤵
    - Program crash
    PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1312
    3⤵
    - Program crash
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 692
      4⤵
      Program crash
      PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1004
      4⤵
      Program crash
      PID:5036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1100
      4⤵
      Program crash
      PID:5060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1136
      4⤵
      Program crash
      PID:3340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1096
      4⤵
      Program crash
      PID:2328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1120
      4⤵
      Program crash
      PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1168
      4⤵
      Program crash
      PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1204
      4⤵
      Program crash
      PID:396
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 992
      4⤵
      Program crash
      PID:468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 744
      4⤵
      Program crash
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3472
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3284
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 764
      4⤵
      Program crash
      PID:3388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1292
      4⤵
      Program crash
      PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 992
      4⤵
      Program crash
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1252
      4⤵
      Program crash
      PID:2608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1080
      4⤵
      Program crash
      PID:8
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1080
      4⤵
      Program crash
      PID:3408
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1588
      4⤵
      Program crash
      PID:2416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1568
      4⤵
      Program crash
      PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 748
    3⤵
    - Program crash
    PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4548 -ip 4548
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1124 -ip 1124
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1124 -ip 1124
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1124 -ip 1124
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1124 -ip 1124
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1124 -ip 1124
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1124 -ip 1124
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1124 -ip 1124
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1124 -ip 1124
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1124 -ip 1124
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1124 -ip 1124
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1552 -ip 1552
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1552 -ip 1552
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1552 -ip 1552
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1552 -ip 1552
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1552 -ip 1552
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1552 -ip 1552
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1552 -ip 1552
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1552 -ip 1552
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1552 -ip 1552
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1552 -ip 1552
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1552 -ip 1552
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1552 -ip 1552
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1552 -ip 1552
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1552 -ip 1552
1⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 316
  2⤵
  - Program crash
  PID:352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3268 -ip 3268
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1552 -ip 1552
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1552 -ip 1552
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1552 -ip 1552
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1552 -ip 1552
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 320
  2⤵
  - Program crash
  PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2064 -ip 2064
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr036017.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr036017.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYS5006.exe

Filesize
624KB

MD5
19ed33f57dcf44251c498c98df8490ba

SHA1
d842bf18ea23f7e856f1a418bb428ab6a046aa50

SHA256
5d94635b332131f559c06e739eaa1809a2770686e0ef3db894b0492283c88678

SHA512
88bbdc6f8e248e802257509c0de931d579ba1e663513ae7c2af5c07fb6178863a7c64e4cc9f801ad783e438ad6bbb49616f0426d5ffc1a7d2530861ec39b40f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYS5006.exe

Filesize
624KB

MD5
19ed33f57dcf44251c498c98df8490ba

SHA1
d842bf18ea23f7e856f1a418bb428ab6a046aa50

SHA256
5d94635b332131f559c06e739eaa1809a2770686e0ef3db894b0492283c88678

SHA512
88bbdc6f8e248e802257509c0de931d579ba1e663513ae7c2af5c07fb6178863a7c64e4cc9f801ad783e438ad6bbb49616f0426d5ffc1a7d2530861ec39b40f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp205303.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp205303.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEy1425.exe

Filesize
470KB

MD5
4f528560242787af89e2d83ee6339eec

SHA1
80648876c42de56fa5e86a3ec966a00bb218a68e

SHA256
30fd0e4816afcb3f86c7a188df75621f75bf37f5ff7471c663890d23b2b82d5e

SHA512
d309726eeb66cae0b398e7bc1902e3e00d7216b34e6e9dccf14d4731e9bccaeff6d33a7724e435d85ea8fd5ca00ca8cd48431000885367dad3e0a987ebeb2516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziEy1425.exe

Filesize
470KB

MD5
4f528560242787af89e2d83ee6339eec

SHA1
80648876c42de56fa5e86a3ec966a00bb218a68e

SHA256
30fd0e4816afcb3f86c7a188df75621f75bf37f5ff7471c663890d23b2b82d5e

SHA512
d309726eeb66cae0b398e7bc1902e3e00d7216b34e6e9dccf14d4731e9bccaeff6d33a7724e435d85ea8fd5ca00ca8cd48431000885367dad3e0a987ebeb2516

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603936.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it603936.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr777246.exe

Filesize
486KB

MD5
ccdb589bcb06e5626c98f1f232a582e9

SHA1
84c9fcf5d9489f576c6fb715d8b04bf7b9d275f4

SHA256
b58399f8b06a545df53bfca6c0f6545bf97dbd530ec6b2fe982baa28b323131d

SHA512
250600cd0149186f793152ad9512f669ed6d1bba0034146453fa5e91ab90f5948b0295ef04624f7ffcfd0e47dc81ec86739a9bfc4dc60ee376a30076744f9b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr777246.exe

Filesize
486KB

MD5
ccdb589bcb06e5626c98f1f232a582e9

SHA1
84c9fcf5d9489f576c6fb715d8b04bf7b9d275f4

SHA256
b58399f8b06a545df53bfca6c0f6545bf97dbd530ec6b2fe982baa28b323131d

SHA512
250600cd0149186f793152ad9512f669ed6d1bba0034146453fa5e91ab90f5948b0295ef04624f7ffcfd0e47dc81ec86739a9bfc4dc60ee376a30076744f9b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
382KB

MD5
586c2c3c387038a375a60ed9253a87fc

SHA1
1c00f420f326a095a41ed7321cc7ddff83b18d07

SHA256
ec7299838fde22c26fbe9a523f23eed4c763178cacaf8c3c1477d1daace27f8c

SHA512
4652bd1bc436a497f45d2584186316abcbffd4cc607a622319f5727d75ef4277166fbd4064d08c54cfe80a1ff9aec4b946ac32616155a32ec346f1b3d07faeda

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/324-974-0x0000000000840000-0x0000000000868000-memory.dmp

Filesize
160KB

Download
memory/324-975-0x00000000078D0000-0x00000000078E0000-memory.dmp

Filesize
64KB

Download
memory/1124-981-0x0000000000C90000-0x0000000000CC5000-memory.dmp

Filesize
212KB

Download
memory/4548-204-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-957-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/4548-184-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-186-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-188-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-190-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-192-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-194-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-196-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-198-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-200-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-202-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-180-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-206-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-208-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-210-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-212-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-214-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-216-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-218-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-220-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-222-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-224-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-228-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-226-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-182-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-958-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4548-959-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4548-960-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4548-961-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4548-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4548-963-0x0000000008BC0000-0x0000000008C52000-memory.dmp

Filesize
584KB

Download
memory/4548-964-0x0000000008D80000-0x0000000008DD0000-memory.dmp

Filesize
320KB

Download
memory/4548-965-0x0000000008DD0000-0x0000000008E46000-memory.dmp

Filesize
472KB

Download
memory/4548-178-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-176-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-174-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-172-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-170-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-168-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-166-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-165-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4548-164-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4548-162-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/4548-163-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4548-161-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4548-160-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/4548-966-0x0000000008E80000-0x0000000008E9E000-memory.dmp

Filesize
120KB

Download
memory/4548-967-0x0000000008FA0000-0x0000000009162000-memory.dmp

Filesize
1.8MB

Download
memory/4548-968-0x0000000009170000-0x000000000969C000-memory.dmp

Filesize
5.2MB

Download
memory/5104-154-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download