042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe
Size

923KB
MD5

20a8e12a0c47aa4b146d0ad863d18bb0
SHA1

7c1788e8a40826b89e97bed0b0d918062b0d51c6
SHA256

042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df
SHA512

62edbb7d051f6fec620c129ad4f96b914633b96303ac74c30718614697a7cb6c91423bb519581d5962a45e3e6f0c297ab5262571b2bb1bdd5af9d049fdb75c44
SSDEEP

24576:oyv4mBxeZAV41HrkC7ESJGgLUZNEm/qL:v7B6aCwyUZ

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it894309.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it894309.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it894309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it894309.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it894309.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it894309.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr628613.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4768	ziYb9752.exe
2204	zicX0417.exe
624	it894309.exe
2804	jr606469.exe
3800	kp286577.exe
2936	lr628613.exe
1688	oneetx.exe
3964	oneetx.exe
436	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3652	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it894309.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziYb9752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziYb9752.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zicX0417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zicX0417.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
1888	2804	WerFault.exe	91
4616	2936	WerFault.exe	95
4776	2936	WerFault.exe	95
2320	2936	WerFault.exe	95
2600	2936	WerFault.exe	95
4172	2936	WerFault.exe	95
1564	2936	WerFault.exe	95
3708	2936	WerFault.exe	95
1584	2936	WerFault.exe	95
2080	2936	WerFault.exe	95
4216	2936	WerFault.exe	95
1012	1688	WerFault.exe	115
1440	1688	WerFault.exe	115
4364	1688	WerFault.exe	115
1500	1688	WerFault.exe	115
1492	1688	WerFault.exe	115
2920	1688	WerFault.exe	115
812	1688	WerFault.exe	115
3272	1688	WerFault.exe	115
4968	1688	WerFault.exe	115
4832	1688	WerFault.exe	115
2204	1688	WerFault.exe	115
4876	1688	WerFault.exe	115
2368	1688	WerFault.exe	115
1752	3964	WerFault.exe	157
4972	1688	WerFault.exe	115
5044	1688	WerFault.exe	115
4296	1688	WerFault.exe	115
4472	436	WerFault.exe	168
3432	1688	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
624	it894309.exe
624	it894309.exe
2804	jr606469.exe
2804	jr606469.exe
3800	kp286577.exe
3800	kp286577.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	it894309.exe
Token: SeDebugPrivilege	2804	jr606469.exe
Token: SeDebugPrivilege	3800	kp286577.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	lr628613.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4768	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	85
PID 4432 wrote to memory of 4768	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	85
PID 4432 wrote to memory of 4768	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	85
PID 4768 wrote to memory of 2204	4768	ziYb9752.exe	86
PID 4768 wrote to memory of 2204	4768	ziYb9752.exe	86
PID 4768 wrote to memory of 2204	4768	ziYb9752.exe	86
PID 2204 wrote to memory of 624	2204	zicX0417.exe	87
PID 2204 wrote to memory of 624	2204	zicX0417.exe	87
PID 2204 wrote to memory of 2804	2204	zicX0417.exe	91
PID 2204 wrote to memory of 2804	2204	zicX0417.exe	91
PID 2204 wrote to memory of 2804	2204	zicX0417.exe	91
PID 4768 wrote to memory of 3800	4768	ziYb9752.exe	94
PID 4768 wrote to memory of 3800	4768	ziYb9752.exe	94
PID 4768 wrote to memory of 3800	4768	ziYb9752.exe	94
PID 4432 wrote to memory of 2936	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	95
PID 4432 wrote to memory of 2936	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	95
PID 4432 wrote to memory of 2936	4432	042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe	95
PID 2936 wrote to memory of 1688	2936	lr628613.exe	115
PID 2936 wrote to memory of 1688	2936	lr628613.exe	115
PID 2936 wrote to memory of 1688	2936	lr628613.exe	115
PID 1688 wrote to memory of 4228	1688	oneetx.exe	133
PID 1688 wrote to memory of 4228	1688	oneetx.exe	133
PID 1688 wrote to memory of 4228	1688	oneetx.exe	133
PID 1688 wrote to memory of 3136	1688	oneetx.exe	139
PID 1688 wrote to memory of 3136	1688	oneetx.exe	139
PID 1688 wrote to memory of 3136	1688	oneetx.exe	139
PID 3136 wrote to memory of 4288	3136	cmd.exe	143
PID 3136 wrote to memory of 4288	3136	cmd.exe	143
PID 3136 wrote to memory of 4288	3136	cmd.exe	143
PID 3136 wrote to memory of 4312	3136	cmd.exe	144
PID 3136 wrote to memory of 4312	3136	cmd.exe	144
PID 3136 wrote to memory of 4312	3136	cmd.exe	144
PID 3136 wrote to memory of 732	3136	cmd.exe	145
PID 3136 wrote to memory of 732	3136	cmd.exe	145
PID 3136 wrote to memory of 732	3136	cmd.exe	145
PID 3136 wrote to memory of 1212	3136	cmd.exe	146
PID 3136 wrote to memory of 1212	3136	cmd.exe	146
PID 3136 wrote to memory of 1212	3136	cmd.exe	146
PID 3136 wrote to memory of 4760	3136	cmd.exe	147
PID 3136 wrote to memory of 4760	3136	cmd.exe	147
PID 3136 wrote to memory of 4760	3136	cmd.exe	147
PID 3136 wrote to memory of 1988	3136	cmd.exe	148
PID 3136 wrote to memory of 1988	3136	cmd.exe	148
PID 3136 wrote to memory of 1988	3136	cmd.exe	148
PID 1688 wrote to memory of 3652	1688	oneetx.exe	165
PID 1688 wrote to memory of 3652	1688	oneetx.exe	165
PID 1688 wrote to memory of 3652	1688	oneetx.exe	165

C:\Users\Admin\AppData\Local\Temp\042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe
"C:\Users\Admin\AppData\Local\Temp\042a54b0e09b9b04c9f5b8181d7f83e443abb5112079dc258d1cd2d6349cf6df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYb9752.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYb9752.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicX0417.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicX0417.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it894309.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it894309.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr606469.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr606469.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1320
        5⤵
        Program crash
        
        PID:1888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp286577.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp286577.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr628613.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr628613.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 696
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 788
    3⤵
    - Program crash
    PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 856
    3⤵
    - Program crash
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 960
    3⤵
    - Program crash
    PID:2600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 980
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 964
    3⤵
    - Program crash
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1216
    3⤵
    - Program crash
    PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1208
    3⤵
    - Program crash
    PID:1584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1316
    3⤵
    - Program crash
    PID:2080
- - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 692
      4⤵
      Program crash
      PID:1012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 836
      4⤵
      Program crash
      PID:1440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 868
      4⤵
      Program crash
      PID:4364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1052
      4⤵
      Program crash
      PID:1500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1060
      4⤵
      Program crash
      PID:1492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1060
      4⤵
      Program crash
      PID:2920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1112
      4⤵
      Program crash
      PID:812
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 992
      4⤵
      Program crash
      PID:3272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 724
      4⤵
      Program crash
      PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4288
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4312
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        5⤵
        
        PID:4760
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1348
      4⤵
      Program crash
      PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1324
      4⤵
      Program crash
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1300
      4⤵
      Program crash
      PID:4876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1336
      4⤵
      Program crash
      PID:2368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1136
      4⤵
      Program crash
      PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1156
      4⤵
      Program crash
      PID:5044
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1068
      4⤵
      Program crash
      PID:4296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1672
      4⤵
      Program crash
      PID:3432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1428
    3⤵
    - Program crash
    PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2804 -ip 2804
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 2936
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 2936
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2936 -ip 2936
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2936 -ip 2936
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2936 -ip 2936
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2936 -ip 2936
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2936 -ip 2936
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2936 -ip 2936
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2936 -ip 2936
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2936 -ip 2936
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1688 -ip 1688
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1688 -ip 1688
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1688 -ip 1688
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1688 -ip 1688
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1688 -ip 1688
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1688 -ip 1688
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1688 -ip 1688
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1688 -ip 1688
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1688 -ip 1688
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1688 -ip 1688
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1688 -ip 1688
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1688 -ip 1688
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1688 -ip 1688
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 316
  2⤵
  - Program crash
  PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3964 -ip 3964
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1688 -ip 1688
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1688 -ip 1688
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1688 -ip 1688
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 316
  2⤵
  - Program crash
  PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 436 -ip 436
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1688 -ip 1688
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr628613.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr628613.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYb9752.exe

Filesize
617KB

MD5
b97c51475034bb8d5cf27670c06577f5

SHA1
9b54355f313ab9789db4e9dd2d74451cad219e81

SHA256
c725a6539f9e35e1953e4427ed2c763282859d9c5fd5a7a99503bce6ce0900d3

SHA512
2d0c0addba2444d2d57692db36c450e1be8220c5a4f5f123a15965e07252fcd44625c9c572f8cad36c0509d8ba21454f0bebd70107a4f5c96ad59f8ded2b1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYb9752.exe

Filesize
617KB

MD5
b97c51475034bb8d5cf27670c06577f5

SHA1
9b54355f313ab9789db4e9dd2d74451cad219e81

SHA256
c725a6539f9e35e1953e4427ed2c763282859d9c5fd5a7a99503bce6ce0900d3

SHA512
2d0c0addba2444d2d57692db36c450e1be8220c5a4f5f123a15965e07252fcd44625c9c572f8cad36c0509d8ba21454f0bebd70107a4f5c96ad59f8ded2b1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp286577.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp286577.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicX0417.exe

Filesize
462KB

MD5
a4e8bdf7de578a96dbc5c95d45e8257a

SHA1
7c4b874cd534dafc82f86a03c5d863a51cbf47d5

SHA256
80b47cdd189963ae22b537d94d4f79dcdb5c284b5b566a02b7fb4684138f2c9f

SHA512
44b825fa119d96924bb04bd689a9413657926b1c7e08c04b255498819c16a619a5ee8ba8afc37d903a004459964f1f40fade65ebd06f815260bfe6abf2b9cdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicX0417.exe

Filesize
462KB

MD5
a4e8bdf7de578a96dbc5c95d45e8257a

SHA1
7c4b874cd534dafc82f86a03c5d863a51cbf47d5

SHA256
80b47cdd189963ae22b537d94d4f79dcdb5c284b5b566a02b7fb4684138f2c9f

SHA512
44b825fa119d96924bb04bd689a9413657926b1c7e08c04b255498819c16a619a5ee8ba8afc37d903a004459964f1f40fade65ebd06f815260bfe6abf2b9cdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it894309.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it894309.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr606469.exe

Filesize
474KB

MD5
5d8f2673342bb20d4a36a7e1dd3232ba

SHA1
d7f230ffa7469083a1a482066f615c2a036d906c

SHA256
df0b4b2495a94ab6d24e8431cde40fa41ccf09a82cc2f405b6d21012a6c23fa5

SHA512
e0f5e74b0c7695ef30aad333c6704ca897c31318437636c8290213f61069943a541dfb775bba292ca95ec194c38eb1d609c77c316d6cfbf92fa10ec3ecdcfa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr606469.exe

Filesize
474KB

MD5
5d8f2673342bb20d4a36a7e1dd3232ba

SHA1
d7f230ffa7469083a1a482066f615c2a036d906c

SHA256
df0b4b2495a94ab6d24e8431cde40fa41ccf09a82cc2f405b6d21012a6c23fa5

SHA512
e0f5e74b0c7695ef30aad333c6704ca897c31318437636c8290213f61069943a541dfb775bba292ca95ec194c38eb1d609c77c316d6cfbf92fa10ec3ecdcfa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
370KB

MD5
438205ae8a2c022366a7b4e35beae5ff

SHA1
39402f1d57e45e90c39a127cca95e17ba45fa0ad

SHA256
eba17987aa92b4e622c68fe632d692869d3fc9b6089b8d9f578c657aeb9a0504

SHA512
ab330a235fcb78058a5743909904674578634431146deea07c8cd4208ee50ad32357e1e50739eb5361239ce402ee04d712d00ab0d789df97b9f3f0139adc1c5b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
f577e9f9bb3716a1405af573fbf2afb4

SHA1
7e2a18c86e4912f9218fbe7c8cf64e04afb90f6e

SHA256
4b3391b13b28318497485a35a26a9c6389ef46eb497f473ff3ec06e0289fdbcb

SHA512
fb7791bd8dd6124a657fbf3de52864442a66209540e34a3f085bcb0019937712b3a538e092751baf57bbe9abd6b764e02dc0b214a02492ec4b8459029b0d7add

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/624-154-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/2804-201-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-223-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-177-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-179-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-181-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-183-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-185-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-187-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-189-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-191-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-193-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-195-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-197-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-199-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-173-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-203-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-205-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-207-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-209-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-211-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-213-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-215-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-217-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-219-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-221-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-175-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-225-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-227-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-956-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/2804-957-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2804-958-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2804-959-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2804-960-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2804-961-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/2804-962-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/2804-963-0x0000000008D80000-0x0000000008DF6000-memory.dmp

Filesize
472KB

Download
memory/2804-964-0x0000000008E50000-0x0000000009012000-memory.dmp

Filesize
1.8MB

Download
memory/2804-965-0x0000000009040000-0x000000000956C000-memory.dmp

Filesize
5.2MB

Download
memory/2804-966-0x0000000009670000-0x000000000968E000-memory.dmp

Filesize
120KB

Download
memory/2804-967-0x00000000026F0000-0x0000000002740000-memory.dmp

Filesize
320KB

Download
memory/2804-160-0x0000000000990000-0x00000000009D6000-memory.dmp

Filesize
280KB

Download
memory/2804-171-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-169-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-167-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-165-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-164-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/2804-163-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/2804-162-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2804-161-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2936-981-0x0000000000C10000-0x0000000000C45000-memory.dmp

Filesize
212KB

Download
memory/3800-974-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/3800-975-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download