88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6

General

Target

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Size

235KB
MD5

4337376d9ec4d6ed203a2b5cf5176e47
SHA1

e2d7ee39bfd8de8b6793b916543d9b7d4d0af43d
SHA256

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6
SHA512

5bc818a8f46d46b30ac90833257ad65307a3adf2db8d6469bfb5e69d95498d3aaec1dca6b8bdaa9003bb49829d555d9a51eb308952849e2c9c35fe7d8a33e626

Score

9^/10

discovery persistence

Malware Config

Signatures

ServiceHost packer 7 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2876-8-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-10-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-9-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2876-15-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 1 IoCs

Processes:

oqan.exe

pid process

2876 oqan.exe

pid	process
2876	oqan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oqan.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\Currentversion\Run	oqan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Alzeed = "C:\\Users\\Admin\\AppData\\Roaming\\Iviges\\oqan.exe"	oqan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

description pid process target process

PID 64 set thread context of 504 64 88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe cmd.exe

description	pid	process	target process
PID 64 set thread context of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3468	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
636	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2204	2876	WerFault.exe	oqan.exe
2772	2876	WerFault.exe	oqan.exe
992	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
1328	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2092	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
520	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
3872	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
4008	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2236	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2192	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2832	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2904	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
3824	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
3712	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
2600	2876	WerFault.exe	oqan.exe
3988	2876	WerFault.exe	oqan.exe
3352	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
8	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
1676	2876	WerFault.exe	oqan.exe
2788	2876	WerFault.exe	oqan.exe
1288	64	WerFault.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
3388	2876	WerFault.exe	oqan.exe
1564	2876	WerFault.exe	oqan.exe
416	2876	WerFault.exe	oqan.exe
4056	2876	WerFault.exe	oqan.exe
2216	2876	WerFault.exe	oqan.exe
3184	2876	WerFault.exe	oqan.exe
848	2876	WerFault.exe	oqan.exe
3524	2876	WerFault.exe	oqan.exe
184	2876	WerFault.exe	oqan.exe
1252	2876	WerFault.exe	oqan.exe
1920	2876	WerFault.exe	oqan.exe
1156	2876	WerFault.exe	oqan.exe
584	2876	WerFault.exe	oqan.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Privacy	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

Suspicious behavior: EnumeratesProcesses 102 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeoqan.exe

pid	process
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
3468	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
636	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe
2876	oqan.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

WerFault.exeWerFault.exe88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3468	WerFault.exe
Token: SeBackupPrivilege	3468	WerFault.exe
Token: SeDebugPrivilege	3468	WerFault.exe
Token: SeDebugPrivilege	636	WerFault.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeDebugPrivilege	2204	WerFault.exe
Token: SeDebugPrivilege	2772	WerFault.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
Token: SeSecurityPrivilege	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe

Suspicious use of WriteProcessMemory 71 IoCs

Processes:

88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exeoqan.exe

description	pid	process	target process
PID 64 wrote to memory of 2876	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	oqan.exe
PID 64 wrote to memory of 2876	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	oqan.exe
PID 64 wrote to memory of 2876	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	oqan.exe
PID 2876 wrote to memory of 2340	2876	oqan.exe	sihost.exe
PID 2876 wrote to memory of 2340	2876	oqan.exe	sihost.exe
PID 2876 wrote to memory of 2340	2876	oqan.exe	sihost.exe
PID 2876 wrote to memory of 2340	2876	oqan.exe	sihost.exe
PID 2876 wrote to memory of 2340	2876	oqan.exe	sihost.exe
PID 2876 wrote to memory of 2352	2876	oqan.exe	svchost.exe
PID 2876 wrote to memory of 2352	2876	oqan.exe	svchost.exe
PID 2876 wrote to memory of 2352	2876	oqan.exe	svchost.exe
PID 2876 wrote to memory of 2352	2876	oqan.exe	svchost.exe
PID 2876 wrote to memory of 2352	2876	oqan.exe	svchost.exe
PID 2876 wrote to memory of 2440	2876	oqan.exe	taskhostw.exe
PID 2876 wrote to memory of 2440	2876	oqan.exe	taskhostw.exe
PID 2876 wrote to memory of 2440	2876	oqan.exe	taskhostw.exe
PID 2876 wrote to memory of 2440	2876	oqan.exe	taskhostw.exe
PID 2876 wrote to memory of 2440	2876	oqan.exe	taskhostw.exe
PID 2876 wrote to memory of 2864	2876	oqan.exe	Explorer.EXE
PID 2876 wrote to memory of 2864	2876	oqan.exe	Explorer.EXE
PID 2876 wrote to memory of 2864	2876	oqan.exe	Explorer.EXE
PID 2876 wrote to memory of 2864	2876	oqan.exe	Explorer.EXE
PID 2876 wrote to memory of 2864	2876	oqan.exe	Explorer.EXE
PID 2876 wrote to memory of 3260	2876	oqan.exe	ShellExperienceHost.exe
PID 2876 wrote to memory of 3260	2876	oqan.exe	ShellExperienceHost.exe
PID 2876 wrote to memory of 3260	2876	oqan.exe	ShellExperienceHost.exe
PID 2876 wrote to memory of 3260	2876	oqan.exe	ShellExperienceHost.exe
PID 2876 wrote to memory of 3260	2876	oqan.exe	ShellExperienceHost.exe
PID 2876 wrote to memory of 3272	2876	oqan.exe	SearchUI.exe
PID 2876 wrote to memory of 3272	2876	oqan.exe	SearchUI.exe
PID 2876 wrote to memory of 3272	2876	oqan.exe	SearchUI.exe
PID 2876 wrote to memory of 3272	2876	oqan.exe	SearchUI.exe
PID 2876 wrote to memory of 3272	2876	oqan.exe	SearchUI.exe
PID 2876 wrote to memory of 3532	2876	oqan.exe	RuntimeBroker.exe
PID 2876 wrote to memory of 3532	2876	oqan.exe	RuntimeBroker.exe
PID 2876 wrote to memory of 3532	2876	oqan.exe	RuntimeBroker.exe
PID 2876 wrote to memory of 3532	2876	oqan.exe	RuntimeBroker.exe
PID 2876 wrote to memory of 3532	2876	oqan.exe	RuntimeBroker.exe
PID 2876 wrote to memory of 3780	2876	oqan.exe	DllHost.exe
PID 2876 wrote to memory of 3780	2876	oqan.exe	DllHost.exe
PID 2876 wrote to memory of 3780	2876	oqan.exe	DllHost.exe
PID 2876 wrote to memory of 3780	2876	oqan.exe	DllHost.exe
PID 2876 wrote to memory of 3780	2876	oqan.exe	DllHost.exe
PID 2876 wrote to memory of 64	2876	oqan.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 2876 wrote to memory of 64	2876	oqan.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 2876 wrote to memory of 64	2876	oqan.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 2876 wrote to memory of 64	2876	oqan.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 2876 wrote to memory of 64	2876	oqan.exe	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
PID 2876 wrote to memory of 2448	2876	oqan.exe	slui.exe
PID 2876 wrote to memory of 2448	2876	oqan.exe	slui.exe
PID 2876 wrote to memory of 2448	2876	oqan.exe	slui.exe
PID 2876 wrote to memory of 2448	2876	oqan.exe	slui.exe
PID 2876 wrote to memory of 2448	2876	oqan.exe	slui.exe
PID 2876 wrote to memory of 1336	2876	oqan.exe
PID 2876 wrote to memory of 1336	2876	oqan.exe
PID 2876 wrote to memory of 1336	2876	oqan.exe
PID 2876 wrote to memory of 1336	2876	oqan.exe
PID 2876 wrote to memory of 1336	2876	oqan.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe
PID 64 wrote to memory of 504	64	88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe	cmd.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2352

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe
"C:\Users\Admin\AppData\Local\Temp\88f9a5e66ae617012a32381f78f76af3beb3f409e3e8e5520db6bc6b1584b9a6.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 668
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 704
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\Iviges\oqan.exe
"C:\Users\Admin\AppData\Roaming\Iviges\oqan.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 652
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 380
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 744
4⤵
- Program crash
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 780
4⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 860
4⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 892
4⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 744
4⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 796
4⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 808
4⤵
- Program crash
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 748
4⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 728
4⤵
- Program crash
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 968
4⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 972
4⤵
- Program crash
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 892
4⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1072
4⤵
- Program crash
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1356
4⤵
- Program crash
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1452
4⤵
- Program crash
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1452
4⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1484
4⤵
- Program crash
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 672
3⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 832
3⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 876
3⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 836
3⤵
- Program crash
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 916
3⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 996
3⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 652
3⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 940
3⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1072
3⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1160
3⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1204
3⤵
- Program crash
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1240
3⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1352
3⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1388
3⤵
- Program crash
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp44b17896.bat"
3⤵
PID:504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 268
3⤵
- Program crash
PID:1288

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3272

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3780

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
PID:2448

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Buan\ceow.urt
MD5
9bab57f739616dbb2ddd6749c989984d

SHA1
5757af60e397fe337d640687209b2d1c2cb6ff73

SHA256
d373bf02e0d83bfabea32712ebfa45382b17dd956d8a3c1a01ea55b89e2c0a69

SHA512
4f9e6c2dbef980965312cad968bfea2c06ed2cb58fbc5fb307c44486197dce52c1f9237cfdfbc99f4097439fa2d72fc705b420503ce2a6757fd461df30217670

Download Submit
C:\Users\Admin\AppData\Roaming\Iviges\oqan.exe
MD5
8e4f190760742008e548ee098d5481da

SHA1
49f8ed2829c20d75fe0bb0619c938c5f9dfe4e5f

SHA256
81a8595c2131697d80921aaece0f20c93a0ed892d4e266ab4e473539f0680e4f

SHA512
d16d30e62a55bc416156eb00b1cd9db7193f55fcb1924b43887ad4941b35263e67683151b28df1c9e138a2c8a3f6085d49431c48afd1b0f5085f324b24be6dec

Download Submit
C:\Users\Admin\AppData\Roaming\Iviges\oqan.exe
MD5
8e4f190760742008e548ee098d5481da

SHA1
49f8ed2829c20d75fe0bb0619c938c5f9dfe4e5f

SHA256
81a8595c2131697d80921aaece0f20c93a0ed892d4e266ab4e473539f0680e4f

SHA512
d16d30e62a55bc416156eb00b1cd9db7193f55fcb1924b43887ad4941b35263e67683151b28df1c9e138a2c8a3f6085d49431c48afd1b0f5085f324b24be6dec

Download Submit
memory/64-24-0x0000000000130000-0x000000000016B000-memory.dmp

Filesize
236KB

Download
memory/504-26-0x000000000076EA5B-mapping.dmp

Download
memory/504-25-0x0000000000760000-0x000000000079B000-memory.dmp

Filesize
236KB

Download
memory/636-2-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/636-3-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2204-12-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2204-7-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2772-20-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2772-16-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/2876-13-0x0000000000000000-mapping.dmp

Download
memory/2876-19-0x0000000000000000-mapping.dmp

Download
memory/2876-4-0x0000000000000000-mapping.dmp

Download
memory/2876-15-0x0000000000000000-mapping.dmp

Download
memory/2876-11-0x0000000000000000-mapping.dmp

Download
memory/2876-17-0x0000000000000000-mapping.dmp

Download
memory/2876-18-0x0000000000000000-mapping.dmp

Download
memory/2876-14-0x0000000000000000-mapping.dmp

Download
memory/2876-9-0x0000000000000000-mapping.dmp

Download
memory/2876-21-0x0000000000000000-mapping.dmp

Download
memory/2876-22-0x0000000000000000-mapping.dmp

Download
memory/2876-23-0x0000000000000000-mapping.dmp

Download
memory/2876-10-0x0000000000000000-mapping.dmp

Download
memory/2876-8-0x0000000000000000-mapping.dmp

Download
memory/3468-0-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3468-1-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads