e88822a680d16042ddf11c0eba10a07038a05ee0735fe4e9a3b0f22694e46b96

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Size

6.6MB
MD5

dcc68b6c2cec13406c1cdd0e5f8cd9e3
SHA1

d41072cbfd3cb1ba48d67ff238368729d5ba6ca1
SHA256

e88822a680d16042ddf11c0eba10a07038a05ee0735fe4e9a3b0f22694e46b96
SHA512

b41d1cbae5cab11c6557efd88d4e83848f5b2d0c862480b21740594d8124014c571a624fa3b4ce172fe5973270cee1b89f04a71df091549c1fb65587ef18af20
SSDEEP

196608:na0vvN3x9OLIiOK8A+zZdCj85rbz0lHU3zOtlo:VN3+LY2inz0MzOro

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Executes dropped EXE 1 IoCs

pid	Process
1188	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	Runner.exe

Loads dropped DLL 3 IoCs

pid	Process
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe

Program crash 27 IoCs

pid	pid_target	Process	procid_target
3596	1188	WerFault.exe	86
3816	1188	WerFault.exe	86
1844	1188	WerFault.exe	86
3964	1188	WerFault.exe	86
1316	1188	WerFault.exe	86
5112	1188	WerFault.exe	86
3968	1188	WerFault.exe	86
3088	1188	WerFault.exe	86
3568	1188	WerFault.exe	86
4436	1188	WerFault.exe	86
2396	1188	WerFault.exe	86
704	1188	WerFault.exe	86
2436	1188	WerFault.exe	86
4284	1188	WerFault.exe	86
4316	1188	WerFault.exe	86
4020	1188	WerFault.exe	86
1524	1188	WerFault.exe	86
684	1188	WerFault.exe	86
3308	1188	WerFault.exe	86
1324	1188	WerFault.exe	86
668	1188	WerFault.exe	86
4008	1188	WerFault.exe	86
4372	1188	WerFault.exe	86
452	1188	WerFault.exe	86
2340	1188	WerFault.exe	86
5016	1188	WerFault.exe	86
840	1188	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runner.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "753f3ad2"	Runner.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
1188	Runner.exe
2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1188	2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	86
PID 2852 wrote to memory of 1188	2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	86
PID 2852 wrote to memory of 1188	2852	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key oSW4nUSbdPLw --product "C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe" --version 2014.03.16101
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 264
    3⤵
    - Program crash
    PID:3596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 328
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 336
    3⤵
    - Program crash
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 504
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 484
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 492
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 324
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 524
    3⤵
    - Program crash
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 544
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 564
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 580
    3⤵
    - Program crash
    PID:2396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 588
    3⤵
    - Program crash
    PID:704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 600
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 640
    3⤵
    - Program crash
    PID:4284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 680
    3⤵
    - Program crash
    PID:4316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 700
    3⤵
    - Program crash
    PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 720
    3⤵
    - Program crash
    PID:1524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 728
    3⤵
    - Program crash
    PID:684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 736
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 696
    3⤵
    - Program crash
    PID:1324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 720
    3⤵
    - Program crash
    PID:668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 724
    3⤵
    - Program crash
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 796
    3⤵
    - Program crash
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 816
    3⤵
    - Program crash
    PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 832
    3⤵
    - Program crash
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 612
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 928
    3⤵
    - Program crash
    PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1188 -ip 1188
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1188 -ip 1188
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1188 -ip 1188
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1188 -ip 1188
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1188 -ip 1188
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1188 -ip 1188
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1188 -ip 1188
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1188 -ip 1188
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1188 -ip 1188
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1188 -ip 1188
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1188 -ip 1188
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1188 -ip 1188
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1188 -ip 1188
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1188 -ip 1188
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1188 -ip 1188
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1188 -ip 1188
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1188 -ip 1188
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1188 -ip 1188
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1188 -ip 1188
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1188 -ip 1188
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1188 -ip 1188
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1188 -ip 1188
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1188 -ip 1188
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1188 -ip 1188
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1188 -ip 1188
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1188 -ip 1188
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1188 -ip 1188
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\boost_interprocess\LtP_xnh0amAk

Filesize
256KB

MD5
de93575d84cfc1da0ce5f19d87f6bfb4

SHA1
dd77e720fd94a61f65e85f91f238d720e1844f9a

SHA256
a7c19a0095ae6d3bc75f95f41b00203982740c3394a045fb7b377870b4924975

SHA512
3c255568cc37efab3e6156d71f76c67fad94e8aa2385c37f7da8e649e0a06d4a1c5fa91086445aa4d04ac5eedd2f5ee6f7564fde5bc259f5a6a1b4d36c10b78c

Download Submit
C:\ProgramData\boost_interprocess\OYeSr2WVQbs

Filesize
258B

MD5
b2608e4153bf3936c62dced78b71a5ef

SHA1
e7918e218b11cc9994e5a58df227d62224350072

SHA256
5ada2bade4511608b8610cd6211fa03a928b792f097c96df84cdd9e63a604ca5

SHA512
0b44c4a8114a04c8d6caaf7c60943adb9f300087ea51721af2e775124c536caddcef63dbab594b1b0eedc3ba7dec6eb5eca2dbb25aa92aa15f0840c2a3f608cc

Download Submit
C:\ProgramData\boost_interprocess\OYeSr2WVQbsr

Filesize
256KB

MD5
604200949a68606a8b96258cad5db55c

SHA1
d6dae795ed2aeff2c6d207ed17608169a4905121

SHA256
8e674d0502f609c282a688e3857d13734595a4dcd56d183dd30872beece69df0

SHA512
25b2ef7ea56ec5807dc526333f30c8caa5a15f8cb7f83036e7ef7d5a0c609b9a50f7578a26d0e259778bfef64f66dbd2f59ec2e460e8d6aa055c5eb4f7f8deed

Download Submit
C:\ProgramData\boost_interprocess\Rm3_S5yy9eYI

Filesize
7KB

MD5
715e67e8ad49ff1fde39389879be27c9

SHA1
5647ff3759e42da9b6146933fd989db0c728c610

SHA256
fb5205fa1d64f38834087cd23963e0560995030e1e960325b48dcfcec46b348e

SHA512
ba89a996603600305fcc00079e3c7035a0abef930184ff370564ed935fe9f88cb4165b69eff437b186b075f8500ec3260728b594e443c2afbc2549f1578de770

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240826.log

Filesize
197B

MD5
9fb1fcf1bc3fa01a3fa6f0ffbf91bc03

SHA1
95fdb53ea469172fa3e265fe76608c9ec5b8d442

SHA256
fffdde7d3bc9ea35099131fcad3a63652bd1a6db221b50e38e59cb07cf60ff59

SHA512
dbea29d8971a4beb928f36317f3d7a1feb7d96b66c040ee03b3ac96cb63448d0a8ab1f937c5e0f4b0fb4d9602861c208de7ca0d29ede1f9a052e71f9ae706b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp

Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
C:\Users\Admin\AppData\Local\Temp\macAC9B.tmp

Filesize
311B

MD5
0de3224600fa47596b75fd24e035958a

SHA1
a36267c9ba27dbd2110e8c12e8ec2b8fd144f897

SHA256
dca2989cb0580eec83f0951b5136152734585c6a9a1542faa113d72866ca110e

SHA512
6884b5407479956e3dda0d52c37a5ffa4c2ce9c6289939c73d788fb67f235f2790bf67fb438fccf2aebf948b1af8b3b1c492f7bd426f232da147f3fd1ab53c7e

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.0MB

MD5
051a6bfb9bf149b2b270a4cccec51c47

SHA1
3d184dbb55559aa6716f39892ea1751665bb5bc4

SHA256
e11a05fb21364a1445c1bedf308ed151169efc7720ee73838e0058cffeebad8d

SHA512
f6fd160b6a1d825366c59585a30d331046e57ad6829b179372d5841b6744efbf0e66f95d37b720a559fa349a4e00b88b210677435a93137c89dd4ee46de8cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
d0cc6ec0c440e44c60930774639de12e

SHA1
06f54a14e7c64b8a05a85a1d612fd7eb2beecc10

SHA256
470fc89109e81eada84ad9744425dd3698672e83a1cb8badf67e350f6c2af7be

SHA512
e5cdd8add2d66e27d36d19a724a5e85ac3c9bb53bbf4cd9ba3fb2169c071970d4313a6763545578b4b332b1f4cac487f6a436d084e6847a92a94685ace1cd980

Download Submit
memory/1188-78-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/1188-98-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-76-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-77-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-42-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-92-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-95-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-96-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-97-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-49-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/1188-99-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-100-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-101-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-102-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-103-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-104-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-105-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1188-106-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads