342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe
Size

829KB
MD5

358a44cb930dfdfe7d235250c404867a
SHA1

286abcdf9f8a6d5c26559d796439faef32960389
SHA256

342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e
SHA512

2b048a36e6e9e774e2e1d2875a2d1f8e865b3772c288b9d3853c086b25989cc540073f4cfa0c18089e551791a276b1e4dfb9c8626ef951020dec0c8615605083
SSDEEP

24576:gyuq5R5n6ljzON4ffC/VOxy2cMrAEm9EDt:nuMcdaN4ffAm7Rnmi

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it981728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it981728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it981728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it981728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it981728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it981728.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lr758745.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1440	ziAp9882.exe
1988	zity0559.exe
1716	it981728.exe
1400	jr012818.exe
876	kp267483.exe
3000	lr758745.exe
5020	oneetx.exe
1464	oneetx.exe
5024	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4844	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it981728.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziAp9882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziAp9882.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zity0559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zity0559.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3768	1400	WerFault.exe	94
3204	3000	WerFault.exe	101
1716	3000	WerFault.exe	101
3408	3000	WerFault.exe	101
2616	3000	WerFault.exe	101
4760	3000	WerFault.exe	101
1936	3000	WerFault.exe	101
1488	3000	WerFault.exe	101
2880	3000	WerFault.exe	101
436	3000	WerFault.exe	101
4392	3000	WerFault.exe	101
1664	5020	WerFault.exe	121
3744	5020	WerFault.exe	121
4144	5020	WerFault.exe	121
3028	5020	WerFault.exe	121
4500	5020	WerFault.exe	121
2624	5020	WerFault.exe	121
228	5020	WerFault.exe	121
2532	5020	WerFault.exe	121
3228	5020	WerFault.exe	121
4924	5020	WerFault.exe	121
1356	5020	WerFault.exe	121
3204	5020	WerFault.exe	121
2780	5020	WerFault.exe	121
1008	5020	WerFault.exe	121
3684	1464	WerFault.exe	162
4676	5020	WerFault.exe	121
4864	5020	WerFault.exe	121
4376	5020	WerFault.exe	121
3000	5024	WerFault.exe	172

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1716	it981728.exe
1716	it981728.exe
1400	jr012818.exe
1400	jr012818.exe
876	kp267483.exe
876	kp267483.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	it981728.exe
Token: SeDebugPrivilege	1400	jr012818.exe
Token: SeDebugPrivilege	876	kp267483.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3000	lr758745.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1440	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	87
PID 1732 wrote to memory of 1440	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	87
PID 1732 wrote to memory of 1440	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	87
PID 1440 wrote to memory of 1988	1440	ziAp9882.exe	88
PID 1440 wrote to memory of 1988	1440	ziAp9882.exe	88
PID 1440 wrote to memory of 1988	1440	ziAp9882.exe	88
PID 1988 wrote to memory of 1716	1988	zity0559.exe	89
PID 1988 wrote to memory of 1716	1988	zity0559.exe	89
PID 1988 wrote to memory of 1400	1988	zity0559.exe	94
PID 1988 wrote to memory of 1400	1988	zity0559.exe	94
PID 1988 wrote to memory of 1400	1988	zity0559.exe	94
PID 1440 wrote to memory of 876	1440	ziAp9882.exe	100
PID 1440 wrote to memory of 876	1440	ziAp9882.exe	100
PID 1440 wrote to memory of 876	1440	ziAp9882.exe	100
PID 1732 wrote to memory of 3000	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	101
PID 1732 wrote to memory of 3000	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	101
PID 1732 wrote to memory of 3000	1732	342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe	101
PID 3000 wrote to memory of 5020	3000	lr758745.exe	121
PID 3000 wrote to memory of 5020	3000	lr758745.exe	121
PID 3000 wrote to memory of 5020	3000	lr758745.exe	121
PID 5020 wrote to memory of 2580	5020	oneetx.exe	138
PID 5020 wrote to memory of 2580	5020	oneetx.exe	138
PID 5020 wrote to memory of 2580	5020	oneetx.exe	138
PID 5020 wrote to memory of 4620	5020	oneetx.exe	144
PID 5020 wrote to memory of 4620	5020	oneetx.exe	144
PID 5020 wrote to memory of 4620	5020	oneetx.exe	144
PID 4620 wrote to memory of 5032	4620	cmd.exe	148
PID 4620 wrote to memory of 5032	4620	cmd.exe	148
PID 4620 wrote to memory of 5032	4620	cmd.exe	148
PID 4620 wrote to memory of 3276	4620	cmd.exe	149
PID 4620 wrote to memory of 3276	4620	cmd.exe	149
PID 4620 wrote to memory of 3276	4620	cmd.exe	149
PID 4620 wrote to memory of 1044	4620	cmd.exe	150
PID 4620 wrote to memory of 1044	4620	cmd.exe	150
PID 4620 wrote to memory of 1044	4620	cmd.exe	150
PID 4620 wrote to memory of 2288	4620	cmd.exe	151
PID 4620 wrote to memory of 2288	4620	cmd.exe	151
PID 4620 wrote to memory of 2288	4620	cmd.exe	151
PID 4620 wrote to memory of 1932	4620	cmd.exe	152
PID 4620 wrote to memory of 1932	4620	cmd.exe	152
PID 4620 wrote to memory of 1932	4620	cmd.exe	152
PID 4620 wrote to memory of 1128	4620	cmd.exe	153
PID 4620 wrote to memory of 1128	4620	cmd.exe	153
PID 4620 wrote to memory of 1128	4620	cmd.exe	153
PID 5020 wrote to memory of 4844	5020	oneetx.exe	167
PID 5020 wrote to memory of 4844	5020	oneetx.exe	167
PID 5020 wrote to memory of 4844	5020	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe
"C:\Users\Admin\AppData\Local\Temp\342ea387741b1e0a40b5b241e470929b4909117515ba2e4ada8a4bd11b2fde8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAp9882.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAp9882.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zity0559.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zity0559.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981728.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981728.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr012818.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr012818.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 2140
        5⤵
        Program crash
        
        PID:3768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267483.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267483.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758745.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758745.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 712
    3⤵
    - Program crash
    PID:3204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 796
    3⤵
    - Program crash
    PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 812
    3⤵
    - Program crash
    PID:3408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 976
    3⤵
    - Program crash
    PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 952
    3⤵
    - Program crash
    PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 976
    3⤵
    - Program crash
    PID:1936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1220
    3⤵
    - Program crash
    PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1252
    3⤵
    - Program crash
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1316
    3⤵
    - Program crash
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 708
      4⤵
      Program crash
      PID:1664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 832
      4⤵
      Program crash
      PID:3744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 916
      4⤵
      Program crash
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1056
      4⤵
      Program crash
      PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1064
      4⤵
      Program crash
      PID:4500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1064
      4⤵
      Program crash
      PID:2624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1148
      4⤵
      Program crash
      PID:228
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 996
      4⤵
      Program crash
      PID:2532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 780
      4⤵
      Program crash
      PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:1128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1320
      4⤵
      Program crash
      PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 944
      4⤵
      Program crash
      PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1312
      4⤵
      Program crash
      PID:3204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1344
      4⤵
      Program crash
      PID:2780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1172
      4⤵
      Program crash
      PID:1008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1164
      4⤵
      Program crash
      PID:4676
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1592
      4⤵
      Program crash
      PID:4864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1656
      4⤵
      Program crash
      PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1364
    3⤵
    - Program crash
    PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1400 -ip 1400
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3000 -ip 3000
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3000 -ip 3000
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3000 -ip 3000
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3000 -ip 3000
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3000 -ip 3000
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3000 -ip 3000
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3000 -ip 3000
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3000 -ip 3000
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3000 -ip 3000
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3000 -ip 3000
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5020 -ip 5020
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5020 -ip 5020
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5020 -ip 5020
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5020 -ip 5020
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5020 -ip 5020
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5020 -ip 5020
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5020 -ip 5020
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5020 -ip 5020
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5020 -ip 5020
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5020 -ip 5020
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5020 -ip 5020
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5020 -ip 5020
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5020 -ip 5020
1⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 424
  2⤵
  - Program crash
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1464 -ip 1464
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5020 -ip 5020
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5020 -ip 5020
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5020 -ip 5020
1⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 428
  2⤵
  - Program crash
  PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5024 -ip 5024
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758745.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758745.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAp9882.exe

Filesize
568KB

MD5
da3248b168ae8cd97b67a226f22a1a50

SHA1
d3d16c6e39d44c084fdb486aaa3c4df94879efc8

SHA256
82001a23fde056bd459b9e44ba74ff53d17ab1c1b5cda0c4abc3e9d8472af903

SHA512
f973ef6bf71fa3bfd3690b3960ed5dd0994d932786fd5a346f271e1356fd5e8aaa3f810a08a6197079d952fa461989336634c81236388e74418230970b16fc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAp9882.exe

Filesize
568KB

MD5
da3248b168ae8cd97b67a226f22a1a50

SHA1
d3d16c6e39d44c084fdb486aaa3c4df94879efc8

SHA256
82001a23fde056bd459b9e44ba74ff53d17ab1c1b5cda0c4abc3e9d8472af903

SHA512
f973ef6bf71fa3bfd3690b3960ed5dd0994d932786fd5a346f271e1356fd5e8aaa3f810a08a6197079d952fa461989336634c81236388e74418230970b16fc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267483.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267483.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zity0559.exe

Filesize
414KB

MD5
f85a71bcb505f784d2a4550f7094ee43

SHA1
463eca20d13e14f98949e54dbbdcdc0d384d6e8a

SHA256
71b114ef8bfedd42399e70eb2f5eb94de6966d1a06ed46580c0975a761c8d254

SHA512
24a990168359b009f7ea394e87616a7c3631c04c452e3127acac4ea48abbe5e848706481bb00ff77ddfa002aac16fd5bdb9b04e724b89ad0c74e27593c999fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zity0559.exe

Filesize
414KB

MD5
f85a71bcb505f784d2a4550f7094ee43

SHA1
463eca20d13e14f98949e54dbbdcdc0d384d6e8a

SHA256
71b114ef8bfedd42399e70eb2f5eb94de6966d1a06ed46580c0975a761c8d254

SHA512
24a990168359b009f7ea394e87616a7c3631c04c452e3127acac4ea48abbe5e848706481bb00ff77ddfa002aac16fd5bdb9b04e724b89ad0c74e27593c999fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981728.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it981728.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr012818.exe

Filesize
360KB

MD5
37b0eadca9c1e34302d2eed78640aa14

SHA1
e75c207622e2a8f8000b7e0b8db317ac8b5fb33e

SHA256
658650544ae31e5f3e572383fe519798f0197a1edae6c1c4f4acf858f8d9a8b4

SHA512
03eca86a2d0d634dfaf54d8a5be931bf2c668304d01a40983a0d4ac3d6d7183d7c4ce45662078d84a9112ee8ca6203c7a491ee8c64890ceb33c0711df1a443b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr012818.exe

Filesize
360KB

MD5
37b0eadca9c1e34302d2eed78640aa14

SHA1
e75c207622e2a8f8000b7e0b8db317ac8b5fb33e

SHA256
658650544ae31e5f3e572383fe519798f0197a1edae6c1c4f4acf858f8d9a8b4

SHA512
03eca86a2d0d634dfaf54d8a5be931bf2c668304d01a40983a0d4ac3d6d7183d7c4ce45662078d84a9112ee8ca6203c7a491ee8c64890ceb33c0711df1a443b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/876-974-0x0000000007F40000-0x0000000007F50000-memory.dmp

Filesize
64KB

Download
memory/876-973-0x0000000000E90000-0x0000000000EB8000-memory.dmp

Filesize
160KB

Download
memory/1400-203-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-227-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-183-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-187-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-185-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-189-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-191-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-193-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1400-196-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1400-197-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-194-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-199-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-201-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-179-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-205-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-207-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-209-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-211-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-213-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-215-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-217-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-221-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-219-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-223-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-225-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-181-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-956-0x0000000009DB0000-0x000000000A3C8000-memory.dmp

Filesize
6.1MB

Download
memory/1400-957-0x000000000A450000-0x000000000A462000-memory.dmp

Filesize
72KB

Download
memory/1400-958-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/1400-959-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/1400-960-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/1400-961-0x000000000A890000-0x000000000A8F6000-memory.dmp

Filesize
408KB

Download
memory/1400-962-0x000000000AF60000-0x000000000AFF2000-memory.dmp

Filesize
584KB

Download
memory/1400-963-0x000000000B250000-0x000000000B2A0000-memory.dmp

Filesize
320KB

Download
memory/1400-177-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-175-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-964-0x000000000B2B0000-0x000000000B326000-memory.dmp

Filesize
472KB

Download
memory/1400-965-0x000000000B360000-0x000000000B37E000-memory.dmp

Filesize
120KB

Download
memory/1400-966-0x000000000B440000-0x000000000B602000-memory.dmp

Filesize
1.8MB

Download
memory/1400-967-0x000000000B810000-0x000000000BD3C000-memory.dmp

Filesize
5.2MB

Download
memory/1400-160-0x0000000002D40000-0x0000000002D86000-memory.dmp

Filesize
280KB

Download
memory/1400-161-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/1400-173-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-171-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-169-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-167-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-163-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-165-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1400-162-0x0000000004D60000-0x0000000004D95000-memory.dmp

Filesize
212KB

Download
memory/1716-154-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/3000-980-0x0000000002E00000-0x0000000002E35000-memory.dmp

Filesize
212KB

Download