qakbot | 93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f

Analysis

max time kernel
119s
max time network
80s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
29-02-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
Size

1.9MB
MD5

82b8bd90e500fb0bf878d6f430c5abec
SHA1

f004c09428f2f18a145212a9e55eef3615858f9c
SHA256

93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f
SHA512

82b2e997bf5bc0d08ab8dd921aef3e8d620a61c26f86b6f481845ad694d7b97f65dfa42e1c18b83f0f827cad9df69a409b75d96793e5bd7124c26bc7cb07f881
SSDEEP

49152:Ksjitd+vszAlozTy4g5r8+5eNBABxGNvXreD68f:rihTyfcXreO8f

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Detect Qakbot Payload 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4364-94-0x000001BED02A0000-0x000001BED02CF000-memory.dmp	family_qakbot_v5
behavioral1/memory/4364-98-0x000001BED0130000-0x000001BED015D000-memory.dmp	family_qakbot_v5
behavioral1/memory/4364-99-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/4364-100-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-102-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-108-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4364-118-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-126-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-127-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-128-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-129-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5
behavioral1/memory/4748-130-0x00000168444C0000-0x00000168444EE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

2 3832 msiexec.exe
5 3832 msiexec.exe
7 3832 msiexec.exe
9 3832 msiexec.exe

flow	pid	process
2	3832	msiexec.exe
5	3832	msiexec.exe
7	3832	msiexec.exe
9	3832	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E42164EE-5510-4BB6-BA12-B7664EFD3B05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BE8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57978d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57978d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9819.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB472.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9953.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A00.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

MSIB472.tmp

pid process

3944 MSIB472.tmp

pid	process
3944	MSIB472.tmp

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exerundll32.exe

pid	process
4680	MsiExec.exe
4680	MsiExec.exe
4680	MsiExec.exe
4680	MsiExec.exe
4680	MsiExec.exe
4680	MsiExec.exe
4680	MsiExec.exe
4240	MsiExec.exe
4240	MsiExec.exe
4240	MsiExec.exe
4240	MsiExec.exe
4364	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\8978e32a = e77a3a7bdc0614cb0e2a7481d06ddd750a08e08d5d4633ca71e4efb501ed37ec3bae090a8267860d8770be9d49f070fafdde348da4e9fc42af76e746a9d0b62430a79dee98989e3d57b5a2025532accb34dc26708e2f40da68bc334407f67ecc60	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\df50abe2 = 071081d466e93c5a19900feb0cf511ecf45ecea0cab90d00888c00070201715a3f55dfabceb09043293afa4c20079a468018548111686c8d2164f1633d74af18464e05b809fd353530539c20bef8c6766697fd3d11057ea02e61a5062c8c5e1759bab684cb0c4044211163aa7a405d7119ca5e3cbb1f7e5994b33ce1a6dcb66cb4acf283f2c7261bfaf9935d2a00db504a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\d32edd0 = 0771241d07acbadeff85785fad01415df04fdc56e601e181ad2178001ad249f8aba30a467b6b4ebd3da5592eb126159c953c6336f33a5ce8d45f559f57feb8eaf4e677b72c5cafdd078a721da5a0da06db5bd0522f08c2af1a1e32a85f7c7a4264	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\193fa265 = 46c932909b7d08e150af49d2b34a036c3a2b151c484a1496bdf9239db3b87d42b1d89650e043a2e49637574396df8804a3e6c911d8ccc75cd1d4cc71198b9c468e5bec6c91bb779c6da2cf9de953ca32b76a1bbb6ecb1c36b371d1b6dc0682c113a4e98cef78dc42580ab6eaba9c165f015365497449e2121754b116f9efbefcfd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\ded7f665 = 067df2cde35c0e5a90c647d4001e406e058eee64f3363a7e70cd171d57d8325e55430bd8439e1ac39bb9d57a46f246932b6a1bf2450f09076ee62831854ef3c3ac405d57c58a0548cd33b09e206be75784917654edac8857d5b03cb8d75a7758baaea82de7c55b58571fb0b1726d4f289c8d1e2d4a80a185184aaedf31ff84f7fe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\13faab7c = c4a91dbcab1c46bef6fb0a4acd810ec358a71ed3148e3a59c3d509c8ce77e4e6ea373a7157b9a9e98ed77b49ad5b426af0f1617081512d14764aa338ea6caefcf751df1a0026ab0e372c25b95c981544a4551d828caf4d614e1fbe6b65c23a7b7a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\8978e32a = 46a6a2ec40ed220eab0abb8829477cc12d558915a5a9945968129a877996eebae70d93bf4da18896d84c5638f56e4e5f8c975de86667d7c6221235219d322626f807db9a7e4f6ad21ae2bd133c7fc3be806b037b9a4e20bcd3dcb9f7752aea1e37bc5be73671aa944108c888d0d0687fd4	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\b66188fb = a556ebfef7d891eac15eb38fd776290e33a48ad1a78b941d276120369f6898490aece867ebcfbd09b3f830045b697d4e5768697b3bc81bc8166f07a62fd6a6a8ffe24841f578f96d6b370c67193498e3e9e3e8974cc8a58d46b0a9c006173d80c9493cae45859fd52658b037bf6f8143e1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\127df6fb = 6715af38b12f8c5c31487a01ca4c3eb2bac474f275dc01b77051e7e5e5650f8429ee9b7d195f63ef7b3de1b48de6eba6cfe31fbbcef43d0e9d651b7bd7ed5fb25aa1bb4ac76dc0bb8c5f2fa4bee6a52727	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\88ffbead = 86935afd6cb3a69e83d112361e05b7fdb61aa29e32c8e7448b8fe185fd4130520d16df15a9e79ebda24fa464fbecd3ad8fd1437b525d6f8b14849d5afb2c2c74507c206916d266b663709d1fcae35dd501f9e26516d5d32bb364987d60a5231e95b93b30dcfc4fa6f9fac8f9591e6d12ad2e2da4ed0142c1d183251892205da251	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\kvosceusrbhyeym\c198ed4e = 05c77a67bd75c6f908d69d7158011875727e8176b68f7aed6132faae554701135562627e2460ac037c8d1038b37ff365b93015f2e1bb9d032a452155f358aba7b91d9ffd976810ae42fd1c3cfd61d322c657e48e43a25094026aeb315d39a26454eb2807fb5c07514b9c3c3a3f6660d92d	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSIB472.tmprundll32.exewermgr.exe

pid	process
4744	msiexec.exe
4744	msiexec.exe
3944	MSIB472.tmp
3944	MSIB472.tmp
4364	rundll32.exe
4364	rundll32.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe
4748	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3832	msiexec.exe
Token: SeSecurityPrivilege	4744	msiexec.exe
Token: SeCreateTokenPrivilege	3832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3832	msiexec.exe
Token: SeLockMemoryPrivilege	3832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3832	msiexec.exe
Token: SeMachineAccountPrivilege	3832	msiexec.exe
Token: SeTcbPrivilege	3832	msiexec.exe
Token: SeSecurityPrivilege	3832	msiexec.exe
Token: SeTakeOwnershipPrivilege	3832	msiexec.exe
Token: SeLoadDriverPrivilege	3832	msiexec.exe
Token: SeSystemProfilePrivilege	3832	msiexec.exe
Token: SeSystemtimePrivilege	3832	msiexec.exe
Token: SeProfSingleProcessPrivilege	3832	msiexec.exe
Token: SeIncBasePriorityPrivilege	3832	msiexec.exe
Token: SeCreatePagefilePrivilege	3832	msiexec.exe
Token: SeCreatePermanentPrivilege	3832	msiexec.exe
Token: SeBackupPrivilege	3832	msiexec.exe
Token: SeRestorePrivilege	3832	msiexec.exe
Token: SeShutdownPrivilege	3832	msiexec.exe
Token: SeDebugPrivilege	3832	msiexec.exe
Token: SeAuditPrivilege	3832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3832	msiexec.exe
Token: SeChangeNotifyPrivilege	3832	msiexec.exe
Token: SeRemoteShutdownPrivilege	3832	msiexec.exe
Token: SeUndockPrivilege	3832	msiexec.exe
Token: SeSyncAgentPrivilege	3832	msiexec.exe
Token: SeEnableDelegationPrivilege	3832	msiexec.exe
Token: SeManageVolumePrivilege	3832	msiexec.exe
Token: SeImpersonatePrivilege	3832	msiexec.exe
Token: SeCreateGlobalPrivilege	3832	msiexec.exe
Token: SeCreateTokenPrivilege	3832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3832	msiexec.exe
Token: SeLockMemoryPrivilege	3832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3832	msiexec.exe
Token: SeMachineAccountPrivilege	3832	msiexec.exe
Token: SeTcbPrivilege	3832	msiexec.exe
Token: SeSecurityPrivilege	3832	msiexec.exe
Token: SeTakeOwnershipPrivilege	3832	msiexec.exe
Token: SeLoadDriverPrivilege	3832	msiexec.exe
Token: SeSystemProfilePrivilege	3832	msiexec.exe
Token: SeSystemtimePrivilege	3832	msiexec.exe
Token: SeProfSingleProcessPrivilege	3832	msiexec.exe
Token: SeIncBasePriorityPrivilege	3832	msiexec.exe
Token: SeCreatePagefilePrivilege	3832	msiexec.exe
Token: SeCreatePermanentPrivilege	3832	msiexec.exe
Token: SeBackupPrivilege	3832	msiexec.exe
Token: SeRestorePrivilege	3832	msiexec.exe
Token: SeShutdownPrivilege	3832	msiexec.exe
Token: SeDebugPrivilege	3832	msiexec.exe
Token: SeAuditPrivilege	3832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3832	msiexec.exe
Token: SeChangeNotifyPrivilege	3832	msiexec.exe
Token: SeRemoteShutdownPrivilege	3832	msiexec.exe
Token: SeUndockPrivilege	3832	msiexec.exe
Token: SeSyncAgentPrivilege	3832	msiexec.exe
Token: SeEnableDelegationPrivilege	3832	msiexec.exe
Token: SeManageVolumePrivilege	3832	msiexec.exe
Token: SeImpersonatePrivilege	3832	msiexec.exe
Token: SeCreateGlobalPrivilege	3832	msiexec.exe
Token: SeCreateTokenPrivilege	3832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3832	msiexec.exe
Token: SeLockMemoryPrivilege	3832	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3832 msiexec.exe
3832 msiexec.exe

pid	process
3832	msiexec.exe
3832	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 4744 wrote to memory of 4680	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 4680	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 4680	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 3476	4744	msiexec.exe	srtasks.exe
PID 4744 wrote to memory of 3476	4744	msiexec.exe	srtasks.exe
PID 4744 wrote to memory of 4240	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 4240	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 4240	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 3944	4744	msiexec.exe	MSIB472.tmp
PID 4744 wrote to memory of 3944	4744	msiexec.exe	MSIB472.tmp
PID 4744 wrote to memory of 3944	4744	msiexec.exe	MSIB472.tmp
PID 4364 wrote to memory of 4748	4364	rundll32.exe	wermgr.exe
PID 4364 wrote to memory of 4748	4364	rundll32.exe	wermgr.exe
PID 4364 wrote to memory of 4748	4364	rundll32.exe	wermgr.exe
PID 4364 wrote to memory of 4748	4364	rundll32.exe	wermgr.exe
PID 4364 wrote to memory of 4748	4364	rundll32.exe	wermgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\93a98b919aec23411ae62dba8d0d22f939da45dec19db2b4e7293124d8f1507f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F0211DC2D365816FBC5A452C4ADF9D13 C
2⤵
- Loads dropped DLL
PID:4680

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6EBFAFF1833F3B6DF203D8496EA5482D
2⤵
- Loads dropped DLL
PID:4240

C:\Windows\Installer\MSIB472.tmp
"C:\Windows\Installer\MSIB472.tmp" /HideWindow rundll32 C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1084

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\KROST.dll,hvsi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57978e.rbs
Filesize
1KB

MD5
de52a5d0b4736a97d4c22dfa26e36383

SHA1
409bc051a08f29f7904681790965ca7ea57b1364

SHA256
7fe5cbd94d26b6385cd88c6c7833d9b935e07063b7b7e80aabbb0b883157adca

SHA512
908daf45be172b0eb76b4154404bc758c37a459fcd251f93f455318c6a2ac83afb0722ee1f7d7c74450fe2d4193052c1af20dc6427944deca6482e45f2e22a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05
Filesize
50KB

MD5
5d3ab674eea69ccf3c600a414e89607c

SHA1
1ec0289cfa412d5551d293264a6a3993c1e3e432

SHA256
46d875c64bd6095bc623463f01dab030b5b1e215f0242620d441fb4f9500119f

SHA512
4c16f4ef21f393fcadd21a67c23810025a1caeb7b00b965fbabb5797d87149d13cfcdfe2d57d7ef8eec7e66f727961e66f214418c82924298b71ba04a345573c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize
314B

MD5
553d6b1c25006148a41228871cde85aa

SHA1
eb224c3b15e92efc30d5b19c99266d9d77c472fe

SHA256
2c3228a4fbcd2e6b82c4bff3d13a928c8a75841ceeb8a6090ea4109e3ae58ffc

SHA512
fe6e24dd340abe432dc3bab7cd13755a954678b06d3cc96476a601be76c4fde2d4ff89fa2c7c739eb365d0cef1d0082136abfd34581556b9dfbb49e80f909fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize
478B

MD5
f22428c1950b3c66bf01ea0386260348

SHA1
480c9f7ec6879ff4971fe25cbd310f540fcf99e1

SHA256
867d7e6b17f1b86528e09ca8a5a014f66d500b8c6d6d734b98c08483d3b399b4

SHA512
f4f96de4c5fd11d27f9d3790144ea72177b599f5e0b21f6408ba09b83305a67616c7a369f54d12515e1aa90f5fe1d6a8d1eef46802be00a175720ba7825a60b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6DEC.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Windows\Installer\MSIB472.tmp
Filesize
397KB

MD5
b41e1b0ae2ec215c568c395b0dbb738a

SHA1
90d8e50176a1f4436604468279f29a128723c64b

SHA256
a97e782c5612c1a9c8a56c56a943f6190fa7a73c346566860b519ef02efd0dca

SHA512
828d00ea08aa5c5d28b2e513687ee1ff910670f49f938064682e56da05544ba9d73ba9244f77b5df8acaeeb7b756d62f67e5acbc95bae86b4706f6324c4ccaba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
25.0MB

MD5
6e96ec58bc35da11c87c83f81f304a2d

SHA1
5c2f544f2f6a22b2a2a068477c96f6a258ac4745

SHA256
9127c674f4e85a833285482745c227f126c353f96c446040e096824aa31b07ff

SHA512
e60250c2c55ebed39da40c14498e8095b68f2ac7d3c4cea61e46aa29bcaf4dcb92c7140dc9fd6454f3b907d582ee945973ddd0bebc016fb7fb0e8f166abdc7ba

Download Submit
\??\Volume{ac3b6578-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{52834766-ee5b-4eea-b6b9-2f29057dff95}_OnDiskSnapshotProp
Filesize
5KB

MD5
439b70918e1c8608151353c14e2080ec

SHA1
cca32c12cc323f232cd8de99f50b8ed3e77fc259

SHA256
e484a31d5710d8424042cbbfcbac0cb115ec0b47c8027f4e00405947aece33e9

SHA512
ae198bc03e9ff4b4b914b69d288eba3fa5bf96e9faae79ff40d115c8523d0829d365f86af19c55bef4b610adc166125dac00ed6b84fc29e0e21f79ee53b8cc2f

Download Submit
\Users\Admin\AppData\Roaming\KROST.dll
Filesize
459KB

MD5
0a29918110937641bbe4a2d5ee5e4272

SHA1
7d4a6976c1ece81e01d1f16ac5506266d5210734

SHA256
780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3

SHA512
998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f

Download Submit
memory/4364-98-0x000001BED0130000-0x000001BED015D000-memory.dmp

Filesize
180KB

Download
memory/4364-94-0x000001BED02A0000-0x000001BED02CF000-memory.dmp

Filesize
188KB

Download
memory/4364-93-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/4364-99-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4364-100-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4364-118-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/4748-108-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-102-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-101-0x00000168444F0000-0x00000168444F2000-memory.dmp

Filesize
8KB

Download
memory/4748-126-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-127-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-128-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-129-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download
memory/4748-130-0x00000168444C0000-0x00000168444EE000-memory.dmp

Filesize
184KB

Download