e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a

General

Target

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
Size

1.1MB
MD5

6962527d9ac313319bd2b87cd12ab32c
SHA1

cd5c57102e56d6af901919edf41dd85d9f012351
SHA256

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a
SHA512

048f07a350e08d49e70b3a1a1d017c515f700ad0de2415130efe71c455b81cd656ab820104eff6bf39444d9cae1c2220066715ed8efec0e898602e9ea5ab3532

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

frm_QANATS.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" frm_QANATS.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

frm_QANATS.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" frm_QANATS.exe
Executes dropped EXE 3 IoCs

Processes:

frm_QANATS.exefrm_QANATS.exefrm_QANATS.exe

pid process

3564 frm_QANATS.exe
736 frm_QANATS.exe
4192 frm_QANATS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	frm_QANATS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	frm_QANATS.exe

pid	process
3564	frm_QANATS.exe
736	frm_QANATS.exe
4192	frm_QANATS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

frm_QANATS.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" frm_QANATS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	frm_QANATS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

frm_QANATS.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	frm_QANATS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frm_Roldan = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\frm_QANATS.vbs\""	frm_QANATS.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

frm_QANATS.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" frm_QANATS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	frm_QANATS.exe

Program crash 46 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4088	4656	WerFault.exe	iexplore.exe
3088	2564	WerFault.exe	iexplore.exe
4368	2568	WerFault.exe	iexplore.exe
1920	3392	WerFault.exe	iexplore.exe
3876	1512	WerFault.exe	iexplore.exe
3248	1204	WerFault.exe	iexplore.exe
620	2916	WerFault.exe	iexplore.exe
2908	1268	WerFault.exe	iexplore.exe
3872	2688	WerFault.exe	iexplore.exe
2608	312	WerFault.exe	iexplore.exe
2168	3984	WerFault.exe	iexplore.exe
3056	2964	WerFault.exe	iexplore.exe
3140	4052	WerFault.exe	iexplore.exe
3164	4308	WerFault.exe	iexplore.exe
2924	3820	WerFault.exe	iexplore.exe
3560	3132	WerFault.exe	iexplore.exe
2216	4240	WerFault.exe	iexplore.exe
2940	2792	WerFault.exe	iexplore.exe
4136	4112	WerFault.exe	iexplore.exe
4140	4104	WerFault.exe	iexplore.exe
3456	2812	WerFault.exe	iexplore.exe
4780	2956	WerFault.exe	iexplore.exe
3292	1856	WerFault.exe	iexplore.exe
4752	3564	WerFault.exe	iexplore.exe
636	8	WerFault.exe	iexplore.exe
4088	5040	WerFault.exe	iexplore.exe
1064	1060	WerFault.exe	iexplore.exe
2056	1660	WerFault.exe	iexplore.exe
4768	1164	WerFault.exe	iexplore.exe
5052	1580	WerFault.exe	iexplore.exe
4936	2788	WerFault.exe	iexplore.exe
1376	4972	WerFault.exe	iexplore.exe
60	2304	WerFault.exe	iexplore.exe
2468	2440	WerFault.exe	iexplore.exe
3012	4740	WerFault.exe	iexplore.exe
4804	4000	WerFault.exe	iexplore.exe
2832	2028	WerFault.exe	iexplore.exe
4904	4296	WerFault.exe	iexplore.exe
4004	2612	WerFault.exe	iexplore.exe
3556	5100	WerFault.exe	iexplore.exe
3736	3696	WerFault.exe	iexplore.exe
1332	2560	WerFault.exe	iexplore.exe
3924	1500	WerFault.exe	iexplore.exe
2784	428	WerFault.exe	iexplore.exe
5024	1288	WerFault.exe	iexplore.exe
3252	64	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 47 IoCs

Processes:

frm_QANATS.exefrm_QANATS.exe

description	pid	process	target process
PID 736 set thread context of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 4192 set thread context of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2916	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1268	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2688	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 312	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3984	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2964	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4052	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4308	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3820	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3132	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4240	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2792	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4112	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4104	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2812	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2956	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1856	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 8	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 5040	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1060	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1660	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1164	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1580	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2788	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4972	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2304	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2440	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4740	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4000	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2028	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 4296	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2612	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 5100	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 3696	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 2560	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1500	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 428	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 1288	4192	frm_QANATS.exe	iexplore.exe
PID 4192 set thread context of 64	4192	frm_QANATS.exe	iexplore.exe

Drops file in Windows directory 4 IoCs

Processes:

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exee22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exefrm_QANATS.exefrm_QANATS.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
File opened for modification	C:\Windows\win.ini	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
File opened for modification	C:\Windows\win.ini	frm_QANATS.exe
File opened for modification	C:\Windows\win.ini	frm_QANATS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

frm_QANATS.exe

pid	process
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe
4192	frm_QANATS.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exee22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exefrm_QANATS.exefrm_QANATS.exefrm_QANATS.exe

pid	process
4700	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
432	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
3564	frm_QANATS.exe
736	frm_QANATS.exe
4192	frm_QANATS.exe

Suspicious use of UnmapMainImage 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1512 iexplore.exe
4112 iexplore.exe
1660 iexplore.exe

pid	process
1512	iexplore.exe
4112	iexplore.exe
1660	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exee22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exefrm_QANATS.exefrm_QANATS.exefrm_QANATS.exe

description	pid	process	target process
PID 4700 wrote to memory of 432	4700	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
PID 4700 wrote to memory of 432	4700	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
PID 4700 wrote to memory of 432	4700	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
PID 432 wrote to memory of 3564	432	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	frm_QANATS.exe
PID 432 wrote to memory of 3564	432	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	frm_QANATS.exe
PID 432 wrote to memory of 3564	432	e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe	frm_QANATS.exe
PID 3564 wrote to memory of 736	3564	frm_QANATS.exe	frm_QANATS.exe
PID 3564 wrote to memory of 736	3564	frm_QANATS.exe	frm_QANATS.exe
PID 3564 wrote to memory of 736	3564	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 736 wrote to memory of 4192	736	frm_QANATS.exe	frm_QANATS.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 4656	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2564	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 2568	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 3392	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1512	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe
PID 4192 wrote to memory of 1204	4192	frm_QANATS.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

frm_QANATS.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" frm_QANATS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	frm_QANATS.exe

C:\Users\Admin\AppData\Local\Temp\e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
"C:\Users\Admin\AppData\Local\Temp\e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe
"C:\Users\Admin\AppData\Local\Temp\e22a21011a6e843389fbbe8cab856a3ba7ecc184c779e2767cc91e666fa7b66a.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
"C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe"
5⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 12
7⤵
- Program crash
PID:4088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 12
7⤵
- Program crash
PID:3088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 12
7⤵
- Program crash
PID:4368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 12
7⤵
- Program crash
PID:1920

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
- Suspicious use of UnmapMainImage
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 12
7⤵
- Program crash
PID:3876

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 12
7⤵
- Program crash
PID:3248

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 12
7⤵
- Program crash
PID:620

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 12
7⤵
- Program crash
PID:2908

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 12
7⤵
- Program crash
PID:3872

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 12
7⤵
- Program crash
PID:2608

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 12
7⤵
- Program crash
PID:2168

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 12
7⤵
- Program crash
PID:3056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 12
7⤵
- Program crash
PID:3140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 12
7⤵
- Program crash
PID:3164

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 12
7⤵
- Program crash
PID:2924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 12
7⤵
- Program crash
PID:3560

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 12
7⤵
- Program crash
PID:2216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 12
7⤵
- Program crash
PID:2940

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
- Suspicious use of UnmapMainImage
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 12
7⤵
- Program crash
PID:4136

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 12
7⤵
- Program crash
PID:4140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 12
7⤵
- Program crash
PID:3456

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 12
7⤵
- Program crash
PID:4780

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 12
7⤵
- Program crash
PID:3292

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 12
7⤵
- Program crash
PID:4752

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 12
7⤵
- Program crash
PID:636

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 12
7⤵
- Program crash
PID:4088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 12
7⤵
- Program crash
PID:1064

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
- Suspicious use of UnmapMainImage
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 12
7⤵
- Program crash
PID:2056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 12
7⤵
- Program crash
PID:4768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 12
7⤵
- Program crash
PID:5052

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 12
7⤵
- Program crash
PID:4936

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12
7⤵
- Program crash
PID:1376

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 12
7⤵
- Program crash
PID:60

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 12
7⤵
- Program crash
PID:2468

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 12
7⤵
- Program crash
PID:3012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 12
7⤵
- Program crash
PID:4804

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 12
7⤵
- Program crash
PID:2832

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 12
7⤵
- Program crash
PID:4904

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 12
7⤵
- Program crash
PID:4004

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 12
7⤵
- Program crash
PID:3556

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 12
7⤵
- Program crash
PID:3736

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 12
7⤵
- Program crash
PID:1332

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 12
7⤵
- Program crash
PID:3924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 12
7⤵
- Program crash
PID:2784

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 12
7⤵
- Program crash
PID:5024

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
6⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 12
7⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2564 -ip 2564
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2568 -ip 2568
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3392 -ip 3392
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1512 -ip 1512
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1204 -ip 1204
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2916 -ip 2916
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1268 -ip 1268
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2688 -ip 2688
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 312 -ip 312
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3984 -ip 3984
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2964 -ip 2964
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4052 -ip 4052
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4308 -ip 4308
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3820 -ip 3820
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3132 -ip 3132
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4240 -ip 4240
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2792 -ip 2792
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4112 -ip 4112
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4104 -ip 4104
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2812 -ip 2812
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2956 -ip 2956
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1856 -ip 1856
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3564 -ip 3564
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 8 -ip 8
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5040 -ip 5040
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1060 -ip 1060
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1660 -ip 1660
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1164 -ip 1164
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1580 -ip 1580
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2788 -ip 2788
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4972 -ip 4972
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 2304 -ip 2304
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2440 -ip 2440
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4740 -ip 4740
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 4000 -ip 4000
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2028 -ip 2028
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4296 -ip 4296
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2612 -ip 2612
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5100 -ip 5100
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3696 -ip 3696
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 2560 -ip 2560
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 1500 -ip 1500
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 428 -ip 428
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1288 -ip 1288
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 64 -ip 64
1⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

5

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
Filesize
1.1MB

MD5
72b518574405809b54d8e2d3a4283d50

SHA1
9429216ebd67da45ac4b9dbc24e5c47a24425e26

SHA256
4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e

SHA512
a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
Filesize
1.1MB

MD5
72b518574405809b54d8e2d3a4283d50

SHA1
9429216ebd67da45ac4b9dbc24e5c47a24425e26

SHA256
4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e

SHA512
a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
Filesize
1.1MB

MD5
72b518574405809b54d8e2d3a4283d50

SHA1
9429216ebd67da45ac4b9dbc24e5c47a24425e26

SHA256
4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e

SHA512
a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\frm_QANATS.exe
Filesize
1.1MB

MD5
72b518574405809b54d8e2d3a4283d50

SHA1
9429216ebd67da45ac4b9dbc24e5c47a24425e26

SHA256
4fde57eb8070711e8e30fe34ab1a1bf785f40a38d2fcb6468c2266f9b6e4cd2e

SHA512
a4def1b82fb9d93cadc35c6ffbb65660372962b3a66c1df9ca392055a30beec6cbe2a3f80006b32570efab0b865803e83138cecc3e23679f7946bdcce5bdccff

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/432-132-0x0000000000000000-mapping.dmp

Download
memory/432-138-0x0000000002BF0000-0x0000000002CF0000-memory.dmp

Filesize
1024KB

Download
memory/432-139-0x00007FFFB29D0000-0x00007FFFB2BC5000-memory.dmp

Filesize
2.0MB

Download
memory/432-140-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/432-144-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/736-148-0x0000000000000000-mapping.dmp

Download
memory/736-160-0x00007FFFB29D0000-0x00007FFFB2BC5000-memory.dmp

Filesize
2.0MB

Download
memory/736-161-0x0000000077D21000-0x0000000077E41000-memory.dmp

Filesize
1.1MB

Download
memory/3564-141-0x0000000000000000-mapping.dmp

Download
memory/3564-152-0x0000000002C60000-0x0000000002D60000-memory.dmp

Filesize
1024KB

Download
memory/3564-154-0x00007FFFB29D0000-0x00007FFFB2BC5000-memory.dmp

Filesize
2.0MB

Download
memory/3564-155-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/4192-156-0x0000000000000000-mapping.dmp

Download
memory/4192-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4192-164-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4192-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4700-137-0x0000000077D20000-0x0000000077EC3000-memory.dmp

Filesize
1.6MB

Download
memory/4700-136-0x00007FFFB29D0000-0x00007FFFB2BC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads