qakbot | 93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f

Resubmissions

07-02-2024 17:07

240207-vm2khsaeh3 10

24-12-2023 19:38

231224-yclcbsedd7 7

Analysis

max time kernel
599s
max time network
592s
platform
windows10-1703_x64
resource
win10-20231215-ja
resource tags

arch:x64arch:x86image:win10-20231215-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
07-02-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Detect Qakbot Payload 46 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-93-0x0000020F13960000-0x0000020F1398F000-memory.dmp	family_qakbot_v5
behavioral1/memory/620-95-0x0000020F13820000-0x0000020F1384D000-memory.dmp	family_qakbot_v5
behavioral1/memory/620-98-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/620-99-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-101-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-107-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/620-117-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-123-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-124-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-125-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-126-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-127-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-134-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-135-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-139-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-140-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-141-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-142-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-146-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-147-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-148-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-150-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-151-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-153-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-155-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-156-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-157-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-159-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-161-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-163-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-164-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-165-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-167-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-168-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-169-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-171-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-172-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-173-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-179-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-180-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-182-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-183-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-184-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-185-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-186-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/1416-188-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

2 3460 msiexec.exe
5 3460 msiexec.exe
7 3460 msiexec.exe
9 3460 msiexec.exe

flow	pid	process
2	3460	msiexec.exe
5	3460	msiexec.exe
7	3460	msiexec.exe
9	3460	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI203C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1663.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI149C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6C993F9A-9EDB-45D9-A90E-BCE13654F283}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B3A.tmp	msiexec.exe
File created	C:\Windows\Installer\e581393.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581393.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSI203C.tmp

pid process

1676 MSI203C.tmp

pid	process
1676	MSI203C.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
4376	MsiExec.exe
4376	MsiExec.exe
4376	MsiExec.exe
4376	MsiExec.exe
4376	MsiExec.exe
4376	MsiExec.exe
4376	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
3068	MsiExec.exe
620	rundll32.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 840b1d5fd035305ff1bc1cf712b3f73525fe6602fda596a3dbc6fd3bd6d7c1fa8d15c7813f889a9f9d55fa6448dd47b9ae0ef50f959114214f75f5ace2eafd68f7498c1e0c3adbbbfbefa01509f2a0f1538a878359dc07528b0297ec8829149906	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 24ecf8c2f3976f1a8d68fe37ffbabed0ce0733ff1ad861c868e103568a3e18bef99120b8361fa13dca0dd06089a3a630d4b1e9fa2aa8fdb1082fdc9839c36b0a44107102bff671e68f49155fe5021b5179a584d346affb11f5435c6f132f57dc21	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 0572c3fca75be73ca0fa6d7b48d467c9648cd18f17563c9d7ea1d8f31e43d171cb395e3c553a33a6d567ce8c952727a3232b664b0f0163e72b1d0a753eb52e01f7b59c35cdf8ae5ac84442a5d871936f8cc11c0b6190f86304ab6576a0cf903978	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 8428e814768ec64f69dae862bda45bcb69f107cccd0caeb4c8fd4907dd959a589ff03c607b2eb6abc248ea0cd7f924d1b045fa5ac381224a063456f9de3512c3bfac84a128107a8ad7ed08da793c283d209b76e0392d673cf9a4953e7bbf63f455	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 463d1b1f5aef5381ad637b6d3b737802efb0b5e394951ac40dbc0815891e74848e0dec88851c2e1b38f34c469954733faaa7e0dd60aed4f37f3ceb3c7a38ef63d1088b985ce7c845b81438672562b4fca82926692823c331c07230dd4091f061d7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c5a8601708259659c8909ae8cae160053da33598ebb0db6048253b9b9447bdd8e422b7c3b2f32722275a9c074f696d3c7185884e9991cf47b7a13d4e25f9793b126bc6c2532140c1c95a22906ff820fedc4122c22dc34325c8408982e270318e10	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 67a247345a48b51f481b646c418b8800af45042e517ab84aeb366a885fca60b2beeb96884fd5ca2ae7482621acd5292a34f6be925562796e050a85168c8319b65dcf4d6b88248c088f481d93da2809364bb2f9ae4f0f5714159689e068d0feb42e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = a4743576bbac0251e5f99327bff3fd7e5d1d4c5fb168137ece00590b9656ece9ea8261c34087affcd8ec7167668b1af9a8ef6e43a48aaeb8085e35aba0ad99132ada9efef93951732eaeda39da3ef4d3fdde8c125cf82301933c4e899eb9d28ca4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 45afd21d19a1dcfece2bbdfcfdeba306c08094cfcc0e164f1b4616c70fbd5bc09185bd3bdc6518fa92597b2e9b35a9ba8086e107c27ec90f2880b8e8a3c0690906489c54140208844cc34ed3f720ec7e24222a655ee78d9f9abbe1a0febb0f089b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\15869bd2 = 471a1db236fa5a554f5c289f4dc2f6e0391f24cadff4f2aee03e6218521b1f05eab4c725a5a54bcb1a5b9c706efd38aaef8f7bc9b3c1ba638952e93859300770d68285e3ef813a86c68164811bd14e3f30ed85df905f4f95370c27a93f32c379de0caa18885a63c129fbf61082e5bdeb8517818e628e0075ccf53dd8d604c787dd38fa3745512221ea3d3ece35a544c461daa0c563f41c3a586b504ccf9fcae13b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e66d90a16f52204a698ecea7ce4f14a0d3f3c3bd1a297051af640e7e1b616588e731121eb1fbaca6fbd193e76fa44e7fc7d44c05f3c39b37afd7a5dfb4360efce10fc5f2fecfb8555adfc9f36cfc480a82da30af79108d216457ebb2e04a34f6cf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = a7762fd08eb75b64c91e6e0b276c28cc8fc1315b5e7e3b4ee72427255b5b1448dec4d3173ecb95d8de2176c0491532c653853f047ce0d7d10c699523a02728e51fe4b9a547d4a1ae8fef8f3a235649a72e7d71d83796b5cd652f4a59580a7df189	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e701120a793d66aa20009723462e40757d0d487afe642b12c6137160125e2bc51c32a2a238b957cc4e2e2f52bb4db248467b5060633f332d09ac3447e761d83b1215eb877a8a8001804a46df278a745c5fd782f9e1c36131c9b6262090bb660c29	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e7ff2e9127ce0800d991b86aaf261b8d57599da52b85f9711f26c3a9f17d315a092163b4ec42a7ce0ab0cc477a6d9390690bbc9b944dc6dc9fdfbeb357c5fad4f5fcc50a4bc5d7a72f76b40ed771db9322b5ab7e25b1a39838d0380458c2731edf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c7a79e0b1c213edc105aa2e4ca27b3d91b8e0294a242a2f1a2bce1ba93db8cd523defbfa2bc5cd6f2aadcbe15c5df0fd84687e2329855cf0d5050de25e11a06ff5ae149cb3aadad82af1f6a674b09d89bf757284fff0cfe5b41f330009b97715ed	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\b4edd7e = 45dd3bd61069af6abdf570a13b66b0c3871df81290b4eedb38a8d91ebb4858f87f0d231156249ba34af60ed2881ba79acee8fa9d7857ae8d3c356f1e18e9ce35eb97fc633a52e2c0aa8a8eee98f007e35e46934af7ac7c65091e524c8b0dc6ffff	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e68e88d757539faf003b87c7df5bf2066e907005331635b8dcfb9720706d057d29e1906e84e176d509eb98db5fae566485e6acebf44c6d641b5448b178e00dac0e8f03a6a22610e373112d75ca4bfc299ef6663d7f605dce07abf13d16dfb00e81	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 05ecbb94a2768eca489c8907074c7be3aa99b26a1879eecb04178ff097ef70e3cbf9ad0b82d413b23d95cd24633e26697b25f87cbaa4aca9c31b2889f6ce7be4226febaf649d1c9cf9be65e3a560484fbb3e848774df49fbf5db776657db64b0f3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 444da507255749779a6297ee1d996fd8660a26a8f88f0a48c64f34b1de8f76f6dcb65e0533fd21a1965b86bc1b7bf3dafa08045e0d5ed3c312520c3e9919d8fcabbc626280cd931e155a79f8aa6a9a31e9b4225b8e1f275bcded3f6db5568af49d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 87826111ebd5c506ddce7c46757ffa9cfb0821c2b97e41496e239e7daff2400334939494bcfbfd4c0af928d2c75ebc36a88e6dd14e4f57e9de5577271acbcec0a3a541af077df45b156b8c0e4c93e5cc5140dccb51b4bb76d7527acf961efee52b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 071b9035e197fbc9b3b146054bac967a3ea09cb3da25e45ea49c4a60666b2e0fd6a8d1d188da71f4f274ebf537fbe17f8ebed465a2cffd1cb788ab0e59e66b799abd6d28bd7cc211deb6d765b76e8148f25838cdb1b312f3e13028f048acdbaa56	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c628626a249f078946ae7437bd2b0b78c61cca48689e2774172c79d981d09864af736f22f7f53332460de8831b480f193fdb9e7a319d063196e27a74d1a44b412b46ed823303c1ae4c5a4a321036d9540b1abb2a959dea5913305cad560ae2b4b7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e5ef20d3c7dfe78ac577a0bc27642e96d8f0e8dff2d541cd539a5d02fa2e6ee5baea2585fb222529e1f372648ce4bdb313f7bdbdcc33869db5f4e46566a83ee0c03df52a82b4ab86f54157090156dba0c81156da92c8f11d2dac89fa31bfbafcd3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 47b1a693e40eb9c2245166a67b3a360edd314a9c6e95eb6e4689f0fa60bf4ac9fbf419fd0b974d8349e7fa1f30670a2dbaeac3b1604418171a25f61bff75f346b4fe246126a32a34873cd7e2aced973e4bb5a051b1d8c16c89f20123f17527677d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 447efb2e3ef2acd47c8c6490eb59fd4097eba96b85f6ce15f509389782a05906859c606d8d09874f80a826fae1b10eb3d9e6bac78e5e77515ea4ffca621c7cbccc789e238ca33c6e2b8850303c550f50efaee04d0a2f4582230fe3608a4c7dc99e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 65356cfd6f35bc87af27ffde560df8c486f42875e54f7f8be6ff6fe1232ab7d6c9af92a78ddb325fd2b849750476ed0b70a4542332b21070f669bc21a51f81161b7949c2b54ad121ae0a7251ceb7230eeac25f8a335983ea4e68ecf5694c01d52d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c452b76e5f8c3ae2102aecd4a9c0b7f4c7c5cf7d0746d6dec3bce7bc2b05f70ca48f3986d0ecf3c85ba6a0e65b92437e9c14889b79620c9bb238a1b06b56209569e9f5a3faeafbe469622bd376c9eedb58f35a06cdfaacd85c30131c3534578dcf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = a66919913cb726a979a2c2f968a089696674b9c44c5b30eed18f8210eb5b9194603e017b0667119830a6b0f7bd62f22db0c8698235c6d54f8f8d1f3158b2b9bd0bdaab650c1830872dfd2d6e0a167c76d354e65b84991e2db81d85b38e5345975e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 64ac2c91027d42a88408a0f89c88773234a61ad2d69f770fc12f6c26128ddc8d89b39395841986652e36c3e0f8ac7fec3e8e9bd29d499a369f57a0306d865d80a4422006a447b043a5195214280e1e98065b379b0bee8f0073f36aeff31b811cf7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 644fd4e4792a962dc30a2fff3a61f96058f6a3d36dc7e7df01bbf15ba5533d01a28cb5f01d866b0637eb6d352aab980960d55f29b18e18506be2dfdb3dbc3211bb0de94bc5a6299810c90a367b8e87c5606d3edd05c5b1ba38506cfd0ae0c0d9f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\d92c9b4c = 86d6fc92cf5b58153b2e2b2232ad1d62c65d0957b8d2348b765c3cb60b26f158d12c18423a971a119c779db22b2aa8e7da6725940524b4bc20c48e53fc2055725c4de479a976ce227cfa524af6f475d53e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\42298e9d = 87bcc6fd53439755d2c487c1137fba79bb910ad4e374068faaeccf49706bd411e4cb03b6d2bb5f47a18514e9e38d8e685284b3df4a06a203d11482a755cbba62c75222caefedc15ecacd6922c94a87184d9752410b452447871da6a3e7918596f1ba5e15d41ce713e63bf3ee7d8b49ee58	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 47b50cc3026914c7f5d6bbebc0d6135f230621be2b36e15b027d8cb47e0f5ecff9ea0d738fb9f50b9ce026400298e4c013573039ccc71fdb0d69f4431ba0c1b65ef7e4eba2cb840e4a4897e52c1927a3e8020f64c319821bca87baf34dd3812203	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 04736dc5229b1f10d251e3049b15c881a52c0e01ba371240ac72b3382ce1361e3c49786d2e23f9832d874b2b3212e8b77aeb3c37a18e5dd3a04ea7b10dec72a3ec73d0f6f35cd41ac47fdbdd68301af4948e9ef75d5bfcd6e765aaddeba0d45c9b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 063410302040e6a3ba55fd6b95c8e9b8fc60a68429f0eb4cd3ca612aebccd61cf9806a0ccca49f64243d1dc4893803ab8e574b4b31d90f64207e0060de72fb637b40fd7b8f6669d5e18f62dcd6935c4c76e35e0a65f22e88869f1d5f2bc25a0579	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\d3e99255 = 24dbbf53783fb7d7eb6d6ce414ce2383a20ee00fb43f6846d2913818303de75f89e04685b3891d02bbc882b32e76fd603691744db19f077505a76413063e862221c3e60ef01182a840401bb228c8087a9d7e6a8ff57ebe723862aa6734ee4b0576c7a0ea2129be0ce82244ec2a6bf3b339bc303576cdf114a36c207daad8b36e50c4f2e3e501f13b625946eb8ee6e6c7cb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e684ea85d020166e63f6bd3c5b4648cf3be9a6130ed36aa086a9134170b3bd64e5d2af424394535f99db2a27e38c9b3d54ecdb9d02264c88cb556f83d15cdc54b5db0bf9d6351bbaabbf704a7c04e63d30b20649144de1a16d84c55d9fa97b26fd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 64e85f0bf993dc9f6a9217aa9d366e25996a4e95639ed5d4948dd5ba4e3a3c2597db165bc505aea40cfe6b22bc8c5b6a8f6c403c642f7f872f8cbbc904d7af23aeb547f897466aa4d99ee404f0390f893f18601e38bc89dee533ed6743b7966bc3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e5e5f56b8b577b0eef91ff36f2a604707ca14797549b006aac8f2c53555c9057ae5c3d41286d4ec345d2ecd155bb60d01d5484df3584db9efbe88d93bc6276a82895fa5af0b6397294a6557253144dbc166f62ba6a06a20d34a8bcd13fec196833	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e6a016e5cffadf5d21a05996dc16cfbdaef88a7f90dd8d851e75633b8730d4464342c54c10b3d66f644a0ec40d6e5342112068c51a6c909e42a027e46e26d384b1c653afd89d5ab10b9eab0e908759f5c8eb9487211a8af1ae78bce20a7be7d09a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 66d21c7a013cf6cb9212726f38704769f195516e1790c441068f4451ed9d1d1a7fab481d2cdac0a79db15c935aa989961b5ea9b4af7cfa38981caa3088f3ccbe8e444b1fb65de880961b664afab167dbec10c9a63709ce556e9c8ccfb2f27ee994	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = a452b1e9742542c45ca9de95f80d594aee1f82e1a61e8c289361ff4c041435ffc7c16cb1b3c6230b3f3d0c87c01f0575a86f145fd2e431d6587d6419f900d91735f0ed243644a24230d85934f7aaa43d7fe7d945285ced2ec60e503ae8cefc1a1f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c5217880caf8ca475375bc8f40e6aba98309e9adacaaf83b2c7f271d73ed0404a566e9cce3c5aa86f8273b451bbaa7fad3cc45aebe7ba50edbaacd4ef1c3a5cdf9de96f988d66645aedbea38ba7e63f8d808c6d144c1bb5253a1f94ccfd7fe30e8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 07ae078250e74fb3ba64af2a0eee84bc02230ea23cf3cf337157f71b5b1353d7ba731128ed8ffe34f9474b36400de0ae3fa674f51c3760a0f85055fc45aa86a88fe2eb9d3560b6dee38d6c34a8f2262968359576415fd34303666215bcfabd07a1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 06cb1107dbe180e09f28b215ead7e52c9fad10eab892d05c039abc969361b839182fa4697c03d0a69a1f56926ca9086858d5e582ca7a10fd78ce7ed1682b511bcb67b2fa6a71ec5353da678319da49c1e02fa214181eb07c5c10d0c03c6f6f1310	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 870945b0dac3bfb281a7c163f640394e723c989c8308721937a1e797827cacbe5c4525cf7e264fbb8f78a806e2fb9bc0b5bc0ecfa60c6a8d198354cc7108e403db473b97ee310125153d331eb0010aeac3b973eda6ccbe7efbccada53088a8463f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\7cb7b8cb = 442320e74bfc966b25c51a2e4a98f76489022be76fa07e1fd438ba6298282607f6e6fd88279b7a1588e6242603b55da80c00c49cc4160328d71cf9fd38aa8793af9f183776314149b0305958e02ce545018cd69833288592ea5a30ff063d87ee56b055b8fc94d8011843813bbe2e75cab858797f0867a89ce634c8836265609c15	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 673506af370e85fe70ac7f455c411f2a2e5343c06ad7f0314164b5e0d915e90b66666519912a60a2a96ec0cbbee9c58f5ae0e6c2110cf71cf97848d3dd12115756a9cce19cc364eabdaa930a8386e162991dd8b3614fad575c001e189121c23d5f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c627d6bc30058ed47e465ed788fbb9e7073d94f9e4430efe96b479c06da7290289dbd10827e0a99695c9deb6b6f457f8717f1d15294706c8ad185b6c4b62cb62b6fef6336dc6e32a762f5b4ef528e0d918d9ab9418df2943fe9308dba813001e0b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = e53809aa7344e154d6c2685496d600b9422aeec626571575ad025585923556d7409bd7d0968ef0847ee4503112ca23d1f6c339f9b9ce0f91e7c46229227fdbdca3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\c7e4dde0 = c4fd12edcf89ce4671fdd490bd3e7c1eb287074cad815cf73866610854c8c4a35ba38f673446c859c997064fb94223cb360ec5921054e6cd07aad0c3d77e4fb14072255a89e9368bdf0225537f048a46d7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = c49466480437145fbaee1460a095bc35ce33027a55c5dcdb899e02dd0f60ae0fe8b873d7159e602c34dc64a6b12573ced277571c2f1c55f66a9ae672ce1c74168dda47a3595302f9c5e93637caa6171a3bcea058fc109abb6ae6b25d8c060f1c0f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 467df683906484f63f3aacb6ecfffead43fc36c9c39c4efcb0a964ef8557865a75cb6a2c93eabc288db050e57cb0dfbdd79c6c71d83168e37de0ac550c00c3a87dac9880e1ca699b74dfa967fd7ab2f0845df79c42899129358b9733919cecf3a4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 67750988e956b4a3b73d3e61b0e8f45acbc534414bd27e2eed2192bb581a5870b6063a6604ca2f89fe1d08bb1d716469d0e6ee38f1e7895b22121f7669c25ea16f949fd6bc8b30dc53a26b96ada592ef5091a51cc2c75399416b760d45596d9669	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 062b2571df73c10dbeba89a636f918828b731518f05ef8f5273163a84a40f6e8800be6752fb52338bf972e1fbc36294106ddcd5ca7f47614dcab7cf374f7b35eb8c5ec66f3e1354f98d496b26b897bf44bffac9c3f9d306e517a96f9dc88813c98	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 672da5de8830d6d80f03b14d0e51fcb1b054abee349ac04a0abd84ecca6ef0e89c337c30c7ffb38b001f7461cee5ede28af0057601ee53f4c3e5fccb95c0e7669b7bad5aa35d81734f17abc39d15ee7929694ee885d3a48a802166708f64bbe7b9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 07ace718c896089fd89ab815a2a63cc9a7b17f9de35529dad885917c5a66a4e3387457eff5aec2dead1b576962b84a6248700444ff5e7ff6cf7faef2d9a61e875d7779e3e539f7b3af045806717ca7408686bfb631868f7e0a3a8baeefd7351115	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 85b912f113c9869d1b2a004f777f9ca07fd239dc8cfee1c2e16fd06b599837bd30041ba6c43cc01eb40c8a7a3b3a3d9c2d8844f36cd4a4187771bc3454a8cc16f7799da4c350209968eb843516305f8ec9b76749bf595780b2671289fb217761a6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\1401c655 = a6016751d65ccc0827f429d7930961f7770cd1dee9ba16e8065f75a05b02f54b8aa0cd8ba430d36806653f5cee857ad4e34bae1c4a1b79982dd1be454bfec38ab0fde92ad082f9061816709fe137f6463a82b0222a8e43f2dddbf8933e5ee9e3df964e4a317806aea82a7a670186a30419	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\d8abc6cb = 44a6e5e477e24ffbc57e8a37eec5dac91a0c9de7189304c3ed0cd82b4a646e41516adc3910ee2d2698b1fdd1d60b212e87d0f3814de2fbc85016ca6114b02b755a5953e618dc9dfa9bd46f633e2d92daa8409e4e9bd6f0be9bda46146752ba8356e14b1207ab16c0bd74924e72e16ff6e4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 65034b4b5a99e4e852d851af7807236697f129b16e76c68bcd03ae9f4c934ce6306fbc0d83aa09e0d4cbd805bdb319e3229803edc5f32b7c4ac45d261e60d0367d40baa081249f897fac5bca620ee83229	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 06c969e3ec5eb51fb32884bf5bcf3da7647bda25e623c54f741cd9001b60d8d1c6219242de8a1eae62f53e66e0ee825f45b1732fd6140161b0d416ef809ca2734ac1377deb22b07b34be261f5f27698e33edf39f3c4cc15cf04a891aedbb714cf3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000_Classes\jiydeguwisub\43aed31a = 47002787f90666db0907d936902270ee1345675c3ea383d0a7f81837596ad1f182f587741c2d095c3baf0687016be34b8f975044bfe5225e8e6b57088af319981d0b9ab7b062d3ca554740a65f9fe7895e87c60c3f3905987f5ef575335d4c2f4a	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI203C.tmprundll32.exewermgr.exe

pid	process
4020	msiexec.exe
4020	msiexec.exe
1676	MSI203C.tmp
1676	MSI203C.tmp
620	rundll32.exe
620	rundll32.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe
1416	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3460	msiexec.exe
Token: SeSecurityPrivilege	4020	msiexec.exe
Token: SeCreateTokenPrivilege	3460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3460	msiexec.exe
Token: SeLockMemoryPrivilege	3460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3460	msiexec.exe
Token: SeMachineAccountPrivilege	3460	msiexec.exe
Token: SeTcbPrivilege	3460	msiexec.exe
Token: SeSecurityPrivilege	3460	msiexec.exe
Token: SeTakeOwnershipPrivilege	3460	msiexec.exe
Token: SeLoadDriverPrivilege	3460	msiexec.exe
Token: SeSystemProfilePrivilege	3460	msiexec.exe
Token: SeSystemtimePrivilege	3460	msiexec.exe
Token: SeProfSingleProcessPrivilege	3460	msiexec.exe
Token: SeIncBasePriorityPrivilege	3460	msiexec.exe
Token: SeCreatePagefilePrivilege	3460	msiexec.exe
Token: SeCreatePermanentPrivilege	3460	msiexec.exe
Token: SeBackupPrivilege	3460	msiexec.exe
Token: SeRestorePrivilege	3460	msiexec.exe
Token: SeShutdownPrivilege	3460	msiexec.exe
Token: SeDebugPrivilege	3460	msiexec.exe
Token: SeAuditPrivilege	3460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3460	msiexec.exe
Token: SeChangeNotifyPrivilege	3460	msiexec.exe
Token: SeRemoteShutdownPrivilege	3460	msiexec.exe
Token: SeUndockPrivilege	3460	msiexec.exe
Token: SeSyncAgentPrivilege	3460	msiexec.exe
Token: SeEnableDelegationPrivilege	3460	msiexec.exe
Token: SeManageVolumePrivilege	3460	msiexec.exe
Token: SeImpersonatePrivilege	3460	msiexec.exe
Token: SeCreateGlobalPrivilege	3460	msiexec.exe
Token: SeCreateTokenPrivilege	3460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3460	msiexec.exe
Token: SeLockMemoryPrivilege	3460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3460	msiexec.exe
Token: SeMachineAccountPrivilege	3460	msiexec.exe
Token: SeTcbPrivilege	3460	msiexec.exe
Token: SeSecurityPrivilege	3460	msiexec.exe
Token: SeTakeOwnershipPrivilege	3460	msiexec.exe
Token: SeLoadDriverPrivilege	3460	msiexec.exe
Token: SeSystemProfilePrivilege	3460	msiexec.exe
Token: SeSystemtimePrivilege	3460	msiexec.exe
Token: SeProfSingleProcessPrivilege	3460	msiexec.exe
Token: SeIncBasePriorityPrivilege	3460	msiexec.exe
Token: SeCreatePagefilePrivilege	3460	msiexec.exe
Token: SeCreatePermanentPrivilege	3460	msiexec.exe
Token: SeBackupPrivilege	3460	msiexec.exe
Token: SeRestorePrivilege	3460	msiexec.exe
Token: SeShutdownPrivilege	3460	msiexec.exe
Token: SeDebugPrivilege	3460	msiexec.exe
Token: SeAuditPrivilege	3460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3460	msiexec.exe
Token: SeChangeNotifyPrivilege	3460	msiexec.exe
Token: SeRemoteShutdownPrivilege	3460	msiexec.exe
Token: SeUndockPrivilege	3460	msiexec.exe
Token: SeSyncAgentPrivilege	3460	msiexec.exe
Token: SeEnableDelegationPrivilege	3460	msiexec.exe
Token: SeManageVolumePrivilege	3460	msiexec.exe
Token: SeImpersonatePrivilege	3460	msiexec.exe
Token: SeCreateGlobalPrivilege	3460	msiexec.exe
Token: SeCreateTokenPrivilege	3460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3460	msiexec.exe
Token: SeLockMemoryPrivilege	3460	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3460 msiexec.exe
3460 msiexec.exe

pid	process
3460	msiexec.exe
3460	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 4020 wrote to memory of 4376	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 4376	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 4376	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 5092	4020	msiexec.exe	srtasks.exe
PID 4020 wrote to memory of 5092	4020	msiexec.exe	srtasks.exe
PID 4020 wrote to memory of 3068	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 3068	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 3068	4020	msiexec.exe	MsiExec.exe
PID 4020 wrote to memory of 1676	4020	msiexec.exe	MSI203C.tmp
PID 4020 wrote to memory of 1676	4020	msiexec.exe	MSI203C.tmp
PID 4020 wrote to memory of 1676	4020	msiexec.exe	MSI203C.tmp
PID 620 wrote to memory of 1416	620	rundll32.exe	wermgr.exe
PID 620 wrote to memory of 1416	620	rundll32.exe	wermgr.exe
PID 620 wrote to memory of 1416	620	rundll32.exe	wermgr.exe
PID 620 wrote to memory of 1416	620	rundll32.exe	wermgr.exe
PID 620 wrote to memory of 1416	620	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 127BCA3F820B08D2C9036E74529859E9 C
2⤵
- Loads dropped DLL
PID:4376

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5092

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 70C25B97885CAF4BDC0B54F3FDCCBF07
2⤵
- Loads dropped DLL
PID:3068

C:\Windows\Installer\MSI203C.tmp
"C:\Windows\Installer\MSI203C.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3956

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581394.rbs
Filesize
1KB

MD5
f562eef029a3e927e2c6d7dc0c70d8d0

SHA1
aee88f9dd9691a4a353df9b1d35482fc643821e8

SHA256
354ddeafb1c6b9942a45b0dca41d6d35ade9c064bffbb72cf87a7e943a36a94e

SHA512
862d9808f316ec3b1bd3d3d8c8d52398903534f7e4d0f9c793d09768eecf1d23cb4499398e0bd64f4e49ce1a291313d5ba82c8f89fbd3fc2c36eb1d8a9409f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
49KB

MD5
4de0793bd575d2288dd23d76f8fb5ebc

SHA1
637c81ad7ff94deaa914dde19673553bf90a66ea

SHA256
bc4a6499a49dda069ace5879794f1c1b0735954290576bda6743a26dcafb2ff2

SHA512
587072af2544710169a463bdc80cf059a7740da2ad9532354fc119ecf4730e7a011c946e58d3272b4bafc1504347d08d970d31ac30687c5baff22e14a1768e9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
8bb3daad9d38b02b22c4fa0d4a809bf6

SHA1
cc85b7ec5ba1baf39dbf53145dce318ec51199d6

SHA256
2d30fbc11e09dc91609f5a164aa2603d0f9d16a9e5df84ec683659f2dce49800

SHA512
e1a80e684516665a45b7fe21a0f708d880974bfadb2ae9fdeccfe4d8534b61f8e927c25ca991bf09a56ee403e8d88e7457abdef6523068a5eb61e174a79ca34d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
165b4736968cb0bd1a927fcfc717b9c6

SHA1
034ae00a1e68e7bdcf7c14af117a39bad0c8824d

SHA256
c30b261c57a3d99dc3ec01a0e38cb661ddafb80ae1490ff93afcf286f3e96968

SHA512
f1bf66534548ce745620c5702570e827b93039cc28cf8d76dd45c006c4aa0591a1fdffdd71ddb9d06e7670a3a17021cc90b5872954732365a8ac340573e4c00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC8C.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIADF4.tmp
Filesize
256KB

MD5
469967b124b062210bd6d4a017ada09c

SHA1
b02d1c130c3d5ab55b0be0f9af6d207916591335

SHA256
05d76e04b26c269244c6db05d7254c27e50480142fa48f4c889b54b1c27741ea

SHA512
b95ac7b76a4ab3f87d619e41f59298669c770c77a45d0ce0f1d889d778448418d7b64f4ed99eb63d59fae299077b5fd995f95985c545b9fbc45427d5927c2f09

Download Submit
C:\Windows\Installer\MSI203C.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
25.0MB

MD5
7fa84dd61e6030193b15639dc12bb73b

SHA1
67f7af397a7225494788044cd23989d972d3ef16

SHA256
cf6094f2fad9b526f2999b30294bad70857c96e46c539a20a4eb45ce3adc220f

SHA512
c2964661bd5a1be26b07458597adc55af5b52c8136aa5074d3b3cbf72178b2677e4a0ac69bbbf4bc09fc8f3a017bdd0542ba07a8f37b9d5682235c66817425a6

Download Submit
\??\Volume{e9e35ac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a16c8744-ec75-439b-a950-5fb2cc71e37e}_OnDiskSnapshotProp
Filesize
5KB

MD5
238cc6c1150e317e02035d2b5b718159

SHA1
35c8610e5d357dc3c3e86854a7cea4d6d7a468b9

SHA256
9818dc86e848b9dccc75b83e44d26e68cca8bf9b2cff4e81c35177f44fb85376

SHA512
ad99e073b35273140874b6ec8af9b16305fb47ec7bfd8f4b38b706cbc665e5907993deb7e65b7fca01a734b7f4d1b446824ce7904c403e41c2bc152d5f7e3f61

Download Submit
\Users\Admin\AppData\Local\Temp\MSIADF4.tmp
Filesize
32KB

MD5
e6bc81dbfaf177607bf78e85c185e48e

SHA1
202f5f61737949092c8bfb18f8998ba29c297969

SHA256
572c737d41462d6bb7fdfd7ca4dc06b739bd5d99244ab47631ed52ec2a2c72cd

SHA512
702a3e5e86cdc606223cdfe105b6f76063a305b29ceed12a0beddeb194d760824c2fbd48c41b2c3284be57e654752b2a5b8aa8ee96c0b845de2fce7badd33a7c

Download Submit
\Users\Admin\AppData\Roaming\KROST.dll
Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
memory/620-93-0x0000020F13960000-0x0000020F1398F000-memory.dmp

Filesize
188KB

Download
memory/620-95-0x0000020F13820000-0x0000020F1384D000-memory.dmp

Filesize
180KB

Download
memory/620-98-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/620-99-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/620-117-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/620-92-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/1416-141-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-156-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-124-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-125-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-126-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-127-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-107-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-101-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-134-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-135-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-139-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-140-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-100-0x000001C8CE8F0000-0x000001C8CE8F2000-memory.dmp

Filesize
8KB

Download
memory/1416-142-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-146-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-147-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-148-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-150-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-151-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-153-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-155-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-123-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-157-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-159-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-161-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-163-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-164-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-165-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-167-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-168-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-169-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-171-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-172-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-173-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-179-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-180-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-182-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-183-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-184-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-185-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-186-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download
memory/1416-188-0x000001C8CE8C0000-0x000001C8CE8EE000-memory.dmp

Filesize
184KB

Download