1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89

Analysis

max time kernel
145s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe
Size

936KB
MD5

07b5402096892f7287a754dc9b2129a2
SHA1

7b0218428306ed34e3129fcb676520d3dd2700c0
SHA256

1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89
SHA512

a41a96682e8be084fb6cb241b772505b02ca292966975365b3b765f64f7c13d2aa263c96a282c2cc1318016531f5e8385780721c17ce4d12941d568c4ea87e34
SSDEEP

24576:Qyx264EzNfNgvvNqiPAViKkA9XG1/cTDuPU:XcUzNf+v8iPA0KRXG1/ceP

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it430392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it430392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it430392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it430392.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it430392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it430392.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	lr511513.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
2140	zitc4657.exe
4528	ziKD8443.exe
224	it430392.exe
4752	jr145775.exe
4848	kp356315.exe
2956	lr511513.exe
1380	oneetx.exe
3164	oneetx.exe
3452	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it430392.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zitc4657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zitc4657.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziKD8443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziKD8443.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
3848	4752	WerFault.exe	91
1508	2956	WerFault.exe	95
1768	2956	WerFault.exe	95
1936	2956	WerFault.exe	95
2276	2956	WerFault.exe	95
4616	2956	WerFault.exe	95
2520	2956	WerFault.exe	95
4060	2956	WerFault.exe	95
1568	2956	WerFault.exe	95
3256	2956	WerFault.exe	95
4108	2956	WerFault.exe	95
3356	1380	WerFault.exe	115
1420	1380	WerFault.exe	115
3692	1380	WerFault.exe	115
3904	1380	WerFault.exe	115
2016	1380	WerFault.exe	115
4592	1380	WerFault.exe	115
1700	1380	WerFault.exe	115
4368	1380	WerFault.exe	115
928	1380	WerFault.exe	115
4812	1380	WerFault.exe	115
2420	1380	WerFault.exe	115
2772	1380	WerFault.exe	115
3804	1380	WerFault.exe	115
2464	1380	WerFault.exe	115
344	3164	WerFault.exe	160
3304	1380	WerFault.exe	115
4744	1380	WerFault.exe	115
2708	1380	WerFault.exe	115
2488	3452	WerFault.exe	170
4728	1380	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
224	it430392.exe
224	it430392.exe
4752	jr145775.exe
4752	jr145775.exe
4848	kp356315.exe
4848	kp356315.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	it430392.exe
Token: SeDebugPrivilege	4752	jr145775.exe
Token: SeDebugPrivilege	4848	kp356315.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2956	lr511513.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2140	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	85
PID 2128 wrote to memory of 2140	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	85
PID 2128 wrote to memory of 2140	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	85
PID 2140 wrote to memory of 4528	2140	zitc4657.exe	86
PID 2140 wrote to memory of 4528	2140	zitc4657.exe	86
PID 2140 wrote to memory of 4528	2140	zitc4657.exe	86
PID 4528 wrote to memory of 224	4528	ziKD8443.exe	87
PID 4528 wrote to memory of 224	4528	ziKD8443.exe	87
PID 4528 wrote to memory of 4752	4528	ziKD8443.exe	91
PID 4528 wrote to memory of 4752	4528	ziKD8443.exe	91
PID 4528 wrote to memory of 4752	4528	ziKD8443.exe	91
PID 2140 wrote to memory of 4848	2140	zitc4657.exe	94
PID 2140 wrote to memory of 4848	2140	zitc4657.exe	94
PID 2140 wrote to memory of 4848	2140	zitc4657.exe	94
PID 2128 wrote to memory of 2956	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	95
PID 2128 wrote to memory of 2956	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	95
PID 2128 wrote to memory of 2956	2128	1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe	95
PID 2956 wrote to memory of 1380	2956	lr511513.exe	115
PID 2956 wrote to memory of 1380	2956	lr511513.exe	115
PID 2956 wrote to memory of 1380	2956	lr511513.exe	115
PID 1380 wrote to memory of 388	1380	oneetx.exe	136
PID 1380 wrote to memory of 388	1380	oneetx.exe	136
PID 1380 wrote to memory of 388	1380	oneetx.exe	136
PID 1380 wrote to memory of 3876	1380	oneetx.exe	142
PID 1380 wrote to memory of 3876	1380	oneetx.exe	142
PID 1380 wrote to memory of 3876	1380	oneetx.exe	142
PID 3876 wrote to memory of 1440	3876	cmd.exe	146
PID 3876 wrote to memory of 1440	3876	cmd.exe	146
PID 3876 wrote to memory of 1440	3876	cmd.exe	146
PID 3876 wrote to memory of 2944	3876	cmd.exe	147
PID 3876 wrote to memory of 2944	3876	cmd.exe	147
PID 3876 wrote to memory of 2944	3876	cmd.exe	147
PID 3876 wrote to memory of 3376	3876	cmd.exe	148
PID 3876 wrote to memory of 3376	3876	cmd.exe	148
PID 3876 wrote to memory of 3376	3876	cmd.exe	148
PID 3876 wrote to memory of 1280	3876	cmd.exe	149
PID 3876 wrote to memory of 1280	3876	cmd.exe	149
PID 3876 wrote to memory of 1280	3876	cmd.exe	149
PID 3876 wrote to memory of 4964	3876	cmd.exe	150
PID 3876 wrote to memory of 4964	3876	cmd.exe	150
PID 3876 wrote to memory of 4964	3876	cmd.exe	150
PID 3876 wrote to memory of 2196	3876	cmd.exe	151
PID 3876 wrote to memory of 2196	3876	cmd.exe	151
PID 3876 wrote to memory of 2196	3876	cmd.exe	151
PID 1380 wrote to memory of 1624	1380	oneetx.exe	167
PID 1380 wrote to memory of 1624	1380	oneetx.exe	167
PID 1380 wrote to memory of 1624	1380	oneetx.exe	167

C:\Users\Admin\AppData\Local\Temp\1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe
"C:\Users\Admin\AppData\Local\Temp\1ea52495be9178162ed0cb5c5b09e7e6b9018bf4c4db6002e42880c756251e89.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitc4657.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitc4657.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKD8443.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKD8443.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it430392.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it430392.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr145775.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr145775.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1996
        5⤵
        Program crash
        
        PID:3848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp356315.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp356315.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr511513.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr511513.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 696
    3⤵
    - Program crash
    PID:1508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 780
    3⤵
    - Program crash
    PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 860
    3⤵
    - Program crash
    PID:1936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 952
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 956
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 956
    3⤵
    - Program crash
    PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1212
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1232
    3⤵
    - Program crash
    PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1316
    3⤵
    - Program crash
    PID:3256
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 692
      4⤵
      Program crash
      PID:3356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 820
      4⤵
      Program crash
      PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 912
      4⤵
      Program crash
      PID:3692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1052
      4⤵
      Program crash
      PID:3904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1064
      4⤵
      Program crash
      PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1064
      4⤵
      Program crash
      PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1052
      4⤵
      Program crash
      PID:1700
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 992
      4⤵
      Program crash
      PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1288
      4⤵
      Program crash
      PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 992
      4⤵
      Program crash
      PID:4812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1328
      4⤵
      Program crash
      PID:2420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 692
      4⤵
      Program crash
      PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1320
      4⤵
      Program crash
      PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1528
      4⤵
      Program crash
      PID:2464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1108
      4⤵
      Program crash
      PID:3304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1628
      4⤵
      Program crash
      PID:4744
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1524
      4⤵
      Program crash
      PID:2708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1644
      4⤵
      Program crash
      PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 788
    3⤵
    - Program crash
    PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4752 -ip 4752
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2956 -ip 2956
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2956 -ip 2956
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2956 -ip 2956
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2956 -ip 2956
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2956 -ip 2956
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2956 -ip 2956
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2956 -ip 2956
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2956 -ip 2956
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2956 -ip 2956
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2956 -ip 2956
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1380 -ip 1380
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1380 -ip 1380
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1380 -ip 1380
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1380 -ip 1380
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1380 -ip 1380
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1380 -ip 1380
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1380 -ip 1380
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1380 -ip 1380
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1380 -ip 1380
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1380 -ip 1380
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1380 -ip 1380
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1380 -ip 1380
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1380 -ip 1380
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1380 -ip 1380
1⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 320
  2⤵
  - Program crash
  PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3164 -ip 3164
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1380 -ip 1380
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1380 -ip 1380
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1380 -ip 1380
1⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 320
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3452 -ip 3452
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1380 -ip 1380
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr511513.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr511513.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitc4657.exe

Filesize
623KB

MD5
cb22717083796a6cd74c089d3667ac08

SHA1
68f4d246c475809c60fd8ad3603b33cb2cad8fcc

SHA256
ae217e5a91fd8c18f2f0d4ca27ed91c84533a5874070b0dcc7bbc40df402e13d

SHA512
d8131703fc1c75980274b737f8f4293a4b5e7b81b3473870d1036197a249361dc88daa0a8612c6abcdafd6fcf2c054a29c1c9dda8b5b3e5878bf8542545ab361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitc4657.exe

Filesize
623KB

MD5
cb22717083796a6cd74c089d3667ac08

SHA1
68f4d246c475809c60fd8ad3603b33cb2cad8fcc

SHA256
ae217e5a91fd8c18f2f0d4ca27ed91c84533a5874070b0dcc7bbc40df402e13d

SHA512
d8131703fc1c75980274b737f8f4293a4b5e7b81b3473870d1036197a249361dc88daa0a8612c6abcdafd6fcf2c054a29c1c9dda8b5b3e5878bf8542545ab361

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp356315.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp356315.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKD8443.exe

Filesize
469KB

MD5
2b91290e50486a932c506d8be129b9fd

SHA1
f4f9b9f288e074e96d3492c6e33333dd4ce514cd

SHA256
41e497a8960b88c31cceb8d4628791aefdff9efc87c0deb28bca3f7249643108

SHA512
8f91f8c046302ffeb9b9d6addba1cbe75ad32f5864167ec8c8cb8c6bee2086bf6a5013e937aeb8ef882f043c48424a150eb53478b5e44c995ebba8a6c197aa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziKD8443.exe

Filesize
469KB

MD5
2b91290e50486a932c506d8be129b9fd

SHA1
f4f9b9f288e074e96d3492c6e33333dd4ce514cd

SHA256
41e497a8960b88c31cceb8d4628791aefdff9efc87c0deb28bca3f7249643108

SHA512
8f91f8c046302ffeb9b9d6addba1cbe75ad32f5864167ec8c8cb8c6bee2086bf6a5013e937aeb8ef882f043c48424a150eb53478b5e44c995ebba8a6c197aa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it430392.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it430392.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr145775.exe

Filesize
488KB

MD5
5d03be9f38173d219a9fe8f9b0893ddd

SHA1
b95fc62c1e0f32f5348b863515556b404ebbcc16

SHA256
bb76c9114307f3f9ccc6e0114cfd41200d8686aa71a4dd64cff22764094b7362

SHA512
a8b23af6e351a4b6e214ed949243fe6d1658ac702ecc6d2f0a6977afab9e218ce76c0e89984f2a1d8f55950e3ad3c55342ff5d32ef0a213dc93ec5da8c294cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr145775.exe

Filesize
488KB

MD5
5d03be9f38173d219a9fe8f9b0893ddd

SHA1
b95fc62c1e0f32f5348b863515556b404ebbcc16

SHA256
bb76c9114307f3f9ccc6e0114cfd41200d8686aa71a4dd64cff22764094b7362

SHA512
a8b23af6e351a4b6e214ed949243fe6d1658ac702ecc6d2f0a6977afab9e218ce76c0e89984f2a1d8f55950e3ad3c55342ff5d32ef0a213dc93ec5da8c294cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
383KB

MD5
5109a5aadab576422be20cf8939d50ec

SHA1
aba321a65e11b54dc65b4fb0a31fe0f2861d77c9

SHA256
949dc4e1e256f910f058dc7866ee99350d7ab78e875bf947fbd5c8f587fc8187

SHA512
3caaa9a91745cbb16cc45e75c79f9f8f4186b2f5c0d25fb6aa1e136709929a8cab8b36b260cdb8b1c31f86165a9e1a42b858cc069cd79bb8f2bf0758f024ff3b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/224-154-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2956-998-0x0000000000B80000-0x0000000000BB5000-memory.dmp

Filesize
212KB

Download
memory/2956-982-0x0000000000B80000-0x0000000000BB5000-memory.dmp

Filesize
212KB

Download
memory/4752-206-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-228-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-182-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-184-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-186-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-188-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-190-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-192-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-194-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-196-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-198-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-200-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-202-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-204-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-178-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-210-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-212-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-214-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-216-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-218-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-222-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-220-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-224-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-226-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-180-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-957-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4752-958-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4752-959-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-960-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4752-961-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4752-962-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4752-963-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/4752-964-0x0000000008C30000-0x0000000008CA6000-memory.dmp

Filesize
472KB

Download
memory/4752-965-0x0000000008CE0000-0x0000000008CFE000-memory.dmp

Filesize
120KB

Download
memory/4752-966-0x0000000008D80000-0x0000000008DD0000-memory.dmp

Filesize
320KB

Download
memory/4752-967-0x0000000008E20000-0x0000000008FE2000-memory.dmp

Filesize
1.8MB

Download
memory/4752-968-0x0000000008FF0000-0x000000000951C000-memory.dmp

Filesize
5.2MB

Download
memory/4752-160-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/4752-176-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-174-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-172-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-170-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-168-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-166-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-165-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/4752-164-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4752-162-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4752-163-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4752-161-0x0000000002470000-0x00000000024B6000-memory.dmp

Filesize
280KB

Download
memory/4848-975-0x00000000006C0000-0x00000000006E8000-memory.dmp

Filesize
160KB

Download
memory/4848-976-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download