qakbot | 49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0

Analysis

max time kernel
607s
max time network
617s
platform
windows10-2004_x64
resource
win10v2004-20240412-ja
resource tags

arch:x64arch:x86image:win10v2004-20240412-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
18-04-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02.dll
Size

3.5MB
MD5

4b7b85d70329e085ab06dcdf9557b0a0
SHA1

3a277203cb4916eb1f55f867f0bd368476c613fb
SHA256

49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0
SHA512

50087b509b58a50db0a67f2aea2838c2783fb2d1d6f5a22d3a68b31e0cdfa7b3b5d469df16af437a6396d3f8dc75fafd689f9af9ce72bfb0c541a3f37ef77f03
SSDEEP

49152:Js0ewfW1oFguIXFkCEDeQi5LpAO85kDe8MS6pBAuowCSHeuOz8eoY3qtI:vfWzuEKCh91Bw8HFwCS+uXevq

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4304-1-0x000001843E6A0000-0x000001843E6CF000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-2-0x000001843CF60000-0x000001843CF8D000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-6-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-7-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-8-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-9-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-11-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-10-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-13-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-19-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-20-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-21-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/4304-23-0x000001843E6F0000-0x000001843E71F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-22-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-24-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-33-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-34-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-36-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-35-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-37-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-38-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-47-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-50-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-51-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-52-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-53-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-54-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-55-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-60-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-61-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-62-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-63-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-66-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-67-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-68-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-69-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-72-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-73-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-74-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-75-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-78-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-79-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-81-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-82-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-85-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-86-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-87-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-88-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-91-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-92-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-93-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-94-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-97-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-98-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-99-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-100-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5
behavioral1/memory/2896-103-0x00000208539E0000-0x0000020853A0F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4976 ipconfig.exe

pid	process
4976	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = 0519c572e8f7edbeb684f0cde60df3d73a01cc8db6df029a01a3e1ba89354733e688b4a89e7be4830a7a659607d898f184875ec928985091ea6746a7ba57fa5ab71d6277c38897ed7c3ffdcee54b510151	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = e4bb721b006da8b267f0f9976c312f4da6dee0175abe068e7263c662ad7e9b50e9502c1eee88688e72cf615c37f35afb4c835c76f32647322928709c705b98685d9717d19a36582897356ef872019563603b741df8c8a37c042bfcbe11643d177f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 65824542ededbe459a421a43cc283e9981cf690e60b7929b0f344d578817a153757da0fa0c9881f6aef9b1e09bab436849f6cf22facb75e3af5812a92d83778dfdf52ec868e28a8db011f13a1324ccdf8eeec1a9b534e62317dfdeb199d16930c6b0519587e49cff93294dca0819feffce159cd589f084bda3b7ea639d88e4370b49c4a53149599bd6a37a194eb1455bfe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = 652969e283dad45ab6b16e879d6f4b11fe768c9b62f0008b7626c2a33653def0fc37669a1a036102d469e8d56e5f26ff11b1f4460c224b0aa396d6e9beaa0c1ba140051b51cedaa990f6eb5615113e3ea1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 865acaf1b5a93872e2feb2e54e45d0dd5341b7278521142ca18cf6292d9eb4d0f1ad24e7ebb5f57c6ef996cf0e053a626a76c3f703cb0b43f4c8170f160a584b57bdf88b250b0cb160660a0e4ff84f59d540164653d1a04be4354654a2f1c336ce	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 86df790478b1498b25e94f3e784451633daf3c276b35ff4060371e4578e8989d93d877d801bd678351ff853cec8a712b41c3530dccbf36af4d00b9c1bef1bec6680b20116c365c4968c914a1a76dfaf8dc2b0100874da8c6e53f16429232a3f248bf4321805f3953fbed8f45945d7ff08c2607be8b7ea0cc064e54b01e90db54878cf8696a7277b02b1a8c7f7854c40a47	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = a56e8664529f07b9e186a16c2c36c26c9131948bb9da3c9b535a46110a91c8d1556184f539d55ba700f908e789d89cd2957a5bd39247263b7e112cdce183d81f9aea8feb03127b862c3eeccee95a2743444df7d8c9433d71a1a117151428fa100d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 668b777b6f4369bdde21ee8d5c16bec1208d4b188daed665e2a8675fc52d66a2e866cc73d1e185972f2693c6c8f8e3fc395cc75c51123dfd5d03049efa63d858fef1b8d42cec9b5168598b0f71281ea2e0079c34ba8c35acb33f0cb857ef6b3448	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = 44c9aac29e9d5f40188333ed5eabe7f7e359ffc72ebaab6abc6342b2f6419ec7ab262c88aae34e267bc85410d958aeb1e5e4cc78cc59a0a099c117a9fb590e99c84f91bf962b04710bcf7b70bbf8222ef8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 672c037179e554c360d3460c1244c2585f6f2695152c669bfe0e9f09305e9f60b542b03f72c9367b577546c38471cddf00d7da848c3b3e35476efd45b60d574fa3d20438433de83408fefec346d4423306309534b56114c7c793b881d6ca31844a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 6512abfaabacfbcce201640f2f3e1a5e224bea87418c7bc743bf42be76e1a0f4eed6bf6341a1dc6c21ae94817a9d7f27bd940e10b1e331939c8ed60171583444861e5b22a47ce001d959e935b987770efabc7e96799719d8349eb71a8eaf407f75	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 05c5e5d463fe0013b781561d40ca0398b9886344a040dd9d00015a94b27c5d63031a68a969040bdfb679088088f8e6bbf94c0b0b7aa9fe3d3b1c4dc708ebdc474e381bf03912626d6eec8dba4af6a4d517b5fd6c6725812e690fcaecc74991bc24310608403cad2e3e5d01cc50dd3bd45dce52f18d9ad18d317c60ee8d3a18c403efb58bdbde22be79f5f47e952f6aba11	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 469dca3cd7343a389fb2e51cb0f4583e9c8832e448105d97e38c9937edba95cfa145903386837d7936902456a4396c3cfeab7ae61312f21e94c032c7702cfff7fe9348bc8b577c67f3c422f50f13dbfbc962d0e2bd4daa6d55630ddeff201b4a6e5cbe80c61304c9fc865a334a98c15be783f272e1f8ab573909453a43f74e651b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = c4863382a74a205794ca5350c659fefd894f7ed8de284aa486898b20a187d71dd61359f60138614e8c6473ebe262ecf0095c57ca16b10615daa0d751a69893c2398304ad00e5b9a3da8d71ae96fd55f41d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 671dbd21c2cefc67a82d4aee3988198da12584a759f7631dabf7b5dd886ad7453ae640db0c6008f8d1cf4bf1c73f7f21d29b46ef8d7017ccf6aef937aa8c676201dc7e629cf6b92c2cf9fd82a8ac265b2542c8f4b3e671b3249ad30459748bb515d92fafaae93d7edb6fd0fd3c4cd59046	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 24fb07045444cbb430f0a06d3c7a367c371ad17516b1350b020244eaf58752bbabce95e90e2336defd2acc64f85cc60fed95252384b65bf2ba2d8f20d4bc7f7ba85cffde1bba6e4a95bd673314bbd2927ea8936bea8d8592766bd8c221cc2729ba2512d6c4939569dbde0bf6cf911ba66ca6b3e1abc59b1ea3c5648e25f581037a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 4695d88557aed655de051dd067519799b20eff58c1f2021667110513c2bf6f4868b277fc6b893fbc0a5566fa9c14fae25b399da17e40817dd9cc9850eb245f3870c15089809290910db896ff2a2e9a17cdfacc1e7523616e369057fd9b8cb183a7b0e9828a332bc098b89a92b236bcf024e4e0bfa7beba3f25055fa4b3621efaa0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = e4a66ee57a4e28cd22b5020a03fb9d762e8dc76ca52943b944f2830d68ebe3518e1362b631b196808edc07865a9cd4242da5e08cee4724a545bc10beabf1a8d46e98665fca8860ac0116d3cce6a27e1d0f551602be4d5feb5164b20d12edc994e20e580d461336c70ea399827cb1ff87e2299db32088dc4dab1d6f80a51887905c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 2485f83353d8b0a63959443bbf8d6125b42a43e5c0209a8849f38becb41ac44c653377272131a7b2e74aab34b554a5c75841f3f20970290de447788402ed72b967ddb3d94fee60f02d477c6fedb809e2f86f9be785080a99fbc13ba731e8cd890f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = e4d22c39a5a0a78d3f6aeaa4633fb809a76b25a14671f601c81e8a7f0201a61a81d949f818fd161bee482778fe02f2784bafd0713dcc9197a78571ab3f7b1199ee488e35162b4ef1dd2ca72b99dd744c85eca884494694192266eaae6799b405f6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = e4cba96dab605585e8a4e3f9a17e9f3b6514ef0d1659a9e78f4c549c6841533b7d18a15ffaadf0f7dbead2958bebf4c1ce85ef6855275ff442f12ae7ee45ea2764d31fda662912ae2526393d5ed056e0a7d1172ef051a178116f5cf128dd95c4cae37f86da0a1fe953faf053379a4f3d8f4073358ce3f3a415937c1f0168ab0de4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 451f057f6160ec805e4e53e0a5f86e50428a76409219d1ae5cfbc9a50bf1296e00a88d9b21f24a5a2f35ee6db347f6c38bff1b7f9c0e58bdeca5ff466c6daba586387962af49495ae8747cb349d902bb8ace837ac1710d8ab8baf42a338fed0016	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 2761aff52d33fb9c0edba95bfd5c84074ba3a29ecff23b439fae98866bbc4bb1e9758dd4ea650d45b2ee1aaf77ada50fc4ab7117ffb0a1872d4018c7b31e143c3654233417e06b1b9d2f3341380b3e172d9a53ebe77eed7f4c9d452d53e14b9841	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 053078e4c36e05134102cfc03e5ff3f2ae4c072f0fe5d8f0d4b5d28bb8c7a5a2559bc88e4967f82b17f9a3dc1ca12261a3e94d563916f70787c7e010dca957df8c12d9fabf5cefe05ed84d580fb10721d30d50fa9033138b0cde9d85dbfbb74aed	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 46d8cfd2db573d55a32f941ec9bc747befe1ead2a5d3bb29b7c9b0b72afde11d90fc202e9e3af6e77a790f1b305def08eb4b4471ec7385fb1f52d397c6f96a2c2d43060e18841b3a4f26dbe048f832ae9b73c829a5979a143cf37a36977dcff355d453f56c50fc468cf3b4483e3f79d9a4ee77b416f6121798d9ad6c785a63dce3a85257eaa43ab6c8690280f8fd4c50b3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 074e205b0bf23657b31afe88d4557b18b09bfeafef0382c7a9fdec9e74ce45f0f268076fbf9e385a6b1341543ddcdce7d13b1d3fa59a783a22db46b87e5395950b7a08c65bb4dcb1765caf1663d9fa5142e473dae7acb72a0390aa34c2cf9c71ef	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 076f2b05ffa237646efb3b78ea1ff35837c8d1fb1d875f34abe8a8f8272cfbeeb3c725e98c81b39cd00f5cfb5b70816bcfadcf4626f7b874a0474a4c4da763bba87cb550281be426d04199b8d14fc6ebaa8618487257e66240a747d64370a74962	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 440df857d77055fd1e95f351a1a18aa0c1e88cf79542cfcd3c204ccdbc187a85ad2fd1bb48e3ed5d059ca0f3322eb18334b2c9f48d701a7e35c587c06f4c2de0f692f02d2c7a68bfe95c731b8f208ccd84b112cfd6b1b1b424eb22ffbb8a3f6b3b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = a7499a5f0fbee2379e7c7f14aeff186c2db5d490bee25ee4668b7f0d169193d2ab4fe1fc1a4d3bc3b821bc459d26e123fc33ace64f67729a7fa4f3da95afadb2079d15c45ec8e1f4a218cd64044a0f2f3c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = 862dde25e3bdae3795f288ba141b5cbc4d2b5ceef56b12b38ee5a95a1f851e424a9c1a479e648d4745011aeb87bbd14cc65434269ff7a88e2451663effaadd52114b7fc551d0aead83b2402f57d2635737	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 25a738569839439baefa326f053d340ea70b55fc681ca141087ac38f8cc035c35d1fee337215b8fed577f1920bf2a6d916bcad834ee8a0f172ee5c135ca662eca4f59fe7039b3a5de8cb0d1d269f6143923a060f5e9067a873002d0f107c193621	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\68d91f2e = 878dfe1ae581f42a0e8826125c3f36e3a8628160bae241afaf863aa0b830fd5cf90e24b1139109ab42613ba209317be4d5c3173b4f096fdcad3f994fdadc21209196ae99195a9d2b762aeac5730ccca47f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 470d5d55188334cc7c60482d34cba46e74b2fde7fb35e39fc79736c9995f1a993c3011670d3f00346321044e99ecd03c8f081253a9c082c6fe34b6a69a0bd54e3f912573890b968ab024736bed43e7ab651d9a9be088a0a3c9a074df23d22b273770b7a8c273255c3cf0650a712bb54bfc7faf354bd475d40c84c9d90bbc09c497	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 64ac6462db267910d15d749e78e4376cab02747844148b2e5c6434ee22981adbe5b913e7434608f67f836a8ae084c860509f1e0428ca53ebdaf444bc7211fa415da3d3b2979a901e83308d3393a78cf5b44a50eabcb4812fa2ba95e8ee16d01345	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = a56319cb9e57f2f9a08c9396489ca24e55db4df1237e618188867a44ce01117bd3ed58fa0a090a0c96b19ad00bb7dde9c9697529f8d8041cd5cae4bc6dca880aa7944d4fd3733da845be83364d312281b21a18ff1121edcbff253a24c5e167e901abde3616be247d77096bf7b24f70823ad65adb9e2018850a2dd63536afeb9b0a96cbba74e56e4fe75f4c67c47fa755bd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = a52dec776c3609523d25fb011d9c83808cca0488ff8af7e2ff1c2cb23449afc4d44d2ed3a81556fe1723330b9a040517344ac3bba63bbbc40fbe2cfe92f75117dc606d64ef5a024c519837da8c76ab00a8f0278051c184c376b5974d9eabe6f884	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 66949e34a6af831107e54ac4ec51e524a8a30269fc5ea3f927f6de2e596122b6a21f4e4fef62b57bddb31d124094a8f063bc621b824edf0ab59d6fd1d206a27a0c51a0f79669251087b6b6ff9628e19a7d8751bbb4a49ad8b03fb9d5d7651f4339a9971b57c09d96f45db8ee486ff05b81393291fa3cc14fa4ac632ac3cff0a1f9ac7d7b504dc19622ecd4dcf7ea7d98f6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 445634307553ad4a07530991a6b586035b173219479e4ea64fac59678aae561b8941bbb9469e717bbc0ef70e86081e71fbbac0d048bc40ae9be8a6ef9418b6c2ee08c077ffb86c82901c43957b36b18ddb6e973fe7cd591f5120ca20a342e95f060859f11c2e5c5d5b07a03dc6bda0ac9baf81c6a4f38d7f533c6276a32ecf8359	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = e7227cb31d1bfe62457476f064cc78f2ae6cc89249887f236761028aef669ee1a7f2bf6a822ec065002d4a22a1a5bb6cdc9fc721d941f659093953c82a54d0a32efe91aa2344b33387c352cf1047cb06be0143d41696abda79bb6f5510602253f8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 2707dccf45cc30e03664452c8dd9dcc9af7b63e7f752727e5d638cc4c33c28238080ce2c8c091e6a4536309c9170d8fb1e35ba1cf95caf37fc01cadb0ee481e0391e95e461f210502c3f1f47e3a134b5441b61b344618b06aa0b4df6ee953503ebc196bc92db0cb774e0d1e9f243665e678b2a0427c4be26152e8ed088ce3e4583c8534b48b540680d15839a72c34719a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 44b869bc81a6fe065d594932f4aa3c2facc36dc3fe4a39cc35877cc18746ff3518446e202bd9e3d1a7e7ea294f545128d73109fbff2f21afa202d4824413d6dbe9b6bac3b26f931469bc53cd30b47a7ed95868cf04769a907f80c8a03224daecc358d56ae1eb65774511e50d664cdb1f1c9d32061a64baf6299a6d44355d7f317478b8204b7079f523a87de3b2f12573c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 07f486e59460faf5be0fa46580dd27548b6ef4589f0c50cb9156a0f066e3e3aa1ce569ba02669bcd0219e63ec84101da65562d5852cebe61f6934b1979b7b9a7a53fda788137a60ef80a05c1984bc493ddfdcc328600fa1e474f27d63e83391f2aa732f4d794d1e9775750fd36c8877c6d99a3c5d4f427eb202f6f5085dc50ef367b6b0fde489f52ab8cf8731ba116dc2f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 47c1a0482f545405c821afc2f3403c23f11dd30537efe5eb27b015d99a955efb450c95795a210de33929a53cfb74a8df1d9601b3223fb41154d82436dcd03a852a04c9eb6418967ae2b54c35ffacd2417bc18d3975a9beff0c8b6eace66d0af83de205cda27c94d9d9ec8f71f70e3956b6b65cf85dbb2626cc7db6c331d0bbf460903f71fae415c79821644078dfcf6eb3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = a7d2b2dd48af6c38e58be93dde5160e40ae8f0869020cd647dc9dae8eb6be253e281a4a9fab7a4beb0c32b2546f6abd85dd051a4338ae8e1f9ddbbd8621fc0be92add925d0cbfb1090757a8e841e9cd5f7145c7cde918a573e936727bb2c0c5ef9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 643c8c8d5f4cd77c68bb853ec0b23af0d1da4563567acb15e97173d00968bca2864019a2184df2e69a6e4b35bf1b19dfa4e35bb56a48291fafcd41fb2f509e121865c358cd679bebafd133a02b1669b4bb685fd436e73340aa438816fb010afd6fb9fa9e546f604e59893aa9de04ce992657c95d3bffa2d938442d454ede862a4b9a2b6eed71f21ddc7af693edfb6fb148	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = e4f54ee01461105fa3260d39a4f6978dc70dbbdd2385adfc1b6f840baf861f21aa164ed7e0cc08ea08310936f6e52fcc8efe80a4793fb94ec717d96c6ca5a3791c0663bb706a2ffd2758a89d05916adeb85232de7ab11d7330f7626c19850c2a1fdb52a45e9967f9de483b6b7b9afd5a094dbfb7f4a17ff3cf9ee291cb9760472704e037d9d98b6af19f97ade91f0bf705	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 84944a509a2cc8114914537fd6d68d650ab4500a1f447a0bf44f9fecd628d1aca9f7920cbe736c9be5a417f01a8b29067bd238a4731f57b2ee4900877320c76e29fd8622c85521320aa5c7cb8ac1a80f4fa122b0c04934363fc9a65419392c943a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 849a8de695936ad20aa66a4b4ea9bb429adb50822a5dbd2a3b3b0f04329f84ff0f1edd8cd4f8b16147baeb26a015ca8927097f52d6e1fb43040cbb509dce6b5a9b1adc7928dfb86e6e7ff54817d7efc7d005bdeebddb0fdb72eab5d54389fb007d78c9a1793c5492ff106a6430733ba9406e9fd2553ca168a4b3bd00234554bf98986197553f3b74b46776930f7249fd52	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\49083253 = 654ef3b839a1e91a2f536a645b8cd2df3b3ec9595c4bec6a9334044cabb2dec98636f2fb30af96ef036300130ddaa4f1450c299e19e4f67b9bd4757dc928b6e70d23440c8ecc0449652c63a247350f16d291d1700d5a2b77755faddffc6921626b70eff19972dfee2e8a857417c4c802871949d8165a803c962b58cc373aea8c35e02aed3b1f0ed7346acec86e6e4a49fc8873788bd1ae088745644f9007435777a5e779720626a853af9ad9193f2cd3e40f88df82780257c761fa3b2f08f7a44c96084e693c37d4b44680694c0977f69878c90213f56197b310722ddbe5549cb4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 651a974047620ffb87f972d494675055a70bd2c2a709bd3f3ce553daceb27fae4bcd32fd7faf2b240239eb1ed9448e93ff0fe6c6580af300c0d1cf5bebf6129fa9a584555e08b11a2d9a06c9b7d8bcc4f3bef4993f759d1feb4c2d5a46dc51daeb6878c85f76fe233f6cca25ea03f2f63ee2f143817240306f090967573c8d78f8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 6700fca898d60289345706d85eee6a5a941abe029e890d01131bc14a48eee0fba501735a3af843afe571f12f3d50d04fd940d7988727622dff88d1192b5a1cc9790f1dad44d9eddf081b1af908c7ab2292fa2228ed5ccaf674a2e098a931d5772a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 050e4786f9f1960717d35dd4d796c6f4d76a31c364e50667ad3e7edd5c68d3b2321d45b755e61324672cb94e17da44f3ab902f6cf262a8347e94054087b3acef597d7a63b9fe05e40dc426f58b66db4521522a85a95175b0145d8fc5f07ed0e86578e1ec7b70b7440321acfa2a8df1488e42ca5ba76c6dd7343bc76e2fa7f21ae9ae1a11306255086972379e5fdc9a3c87	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = e4aee0babff409166c1c3ea69e4b9554092318015ae908b949f6ecf0252838ed6fbe6121b88e1f61f2559a0315bbb35b7e69f9b3fa3b5ad0856ab5554b1c4b5f8feae029954e9fcedc62d584800f726886fa2bdf1a2e70e9c99c5a6976fcb800b1aa464884f1579e977aad48a8bf8929e0cef65c6280b1191df859210cd2d968c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 65b34fbbb6ba76ae9db925438fce745600462360c311c23b4bf0d8d3fd93b221446b4e31bf42128d51c7282a3a50702720f734d5278fbaa943d2b31cdb65522b22e0c39b8d6d8a20f15a0c6b233fdf13ee25e4174d288e91af93cd578a7c1bb8b9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = c76e83b97790bdcc71cbedc3aeb7cfde9d3f3b6223ddf24093ddeb01b04837009ab87b7a83e5ce8a26310b90f2e8a248321e3022b9c02aaa0a5ad0f179ef14fbe531d9a8987c97ed0dbbb9ff085604ab435003bf40fd1a0ee292b93f2e10929882d3c08c393d25c0283ff8fd917bf389a88463879896aa9d0c493dfc1988ba1442	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = a4688d4e39e336a4a486de1c67447285f4330963aac2dcc99ef9ef6fa18ba4a4b4c0397baee9189dcbbeee0a3164e19397b5b58f7c7b8e767c996ac1873c179a669ec66c1cc2917d692afa65b149dd7bf46e0f3390671b74bbac41529babe0649a3d626723cf2a6c31b4b987f6bd77ccd65f3ae8416069891a80bdc85fe7cbe866	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = 867d66e18ba69d1106ca4118f743f99a88138daa0487e10d6ffea5952dbad5e671b9ac8f0c249af73cb9113f60f0fe0b193ccb481456e8c40dd51eafa62936477b8ebc6898ca0aefd051c7050db24048226d20faeef82002a6850d53491cdcf190	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = e6378f9d1c06c5aa93e6799e84501f31cf02a185144d34b52d74f934733cfe5a45cd1d3f43fc5e73c1e02f6d418a99aefc98e73baa579dbf1ef7cedfd0d83be93d764be5399c093ae0a3a9f4a204d0a8504202f7ddc524d1f15311a851b2d82b4d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\f91903e6 = 27446ea43bee76170297f6f81430da56a97efba7313955ffc190f81e53eb5e095aaa959c5d2223baa3e69324be47860d0d086316c1e040bd82717fde09368cfbfc271653215320466f26cbaec0d0872269d38313c66a9fa352beb0638c71abe5999a0d3ace2946b04b523296a307fd3a714fe42a917035c6723ce3c02d46bbd404	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 66d227ddea9a6e0f59aa1e028526e5f30989a9aa966f30f4e08f67faa1fc133b11a33b3996b1417e722c8c06bcb05b7cd69f5d05190f88121369223b7df2999eb54e7714a47d273bb6f4eaeec57e52c11c94c5b083676f7b0a15a68de2bf8d6427eb7db760abc40817f0d9892c420c2f283d344a7a08bd40ff26b7242d2600476925244faf46e225dfa77beddad765bc8d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\1f207a9b = 042c027a30feb879c6a0b30a2b52fa2bc7c0be6643d421457dc51a05ecdd1512049925115c715bc79d1d2b3db428ad2554cb5f25c646721ded89df0c6027fd9033375d11452ed076f72e5144fa35494b0a7ca13e19bbf6051e803fa4868695c45d4165cd4c6fd66b7a3088d2cf5e6971bbcb336b0eaf7ad0607a074b1f092af387796b40333028ba9e2a29c7f60e688d1b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\e65618cd = 2655f8abb2a0c63d4027772494d614f0b41a3132f541e581f271c5a6deac747924a3dbbc0adafa16715ad680c4554c161110a87738a712cd587618da46aa9b65a9cc3ed0278885bb5c5d6f6d99fb3875d66e1f4ac0b216b4528969511b13c5b97f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\43cd3b4a = e506ff2af211c0661d29d80d364b7163ab94d16be4961fffd2dea57326feb525e569c59b06e18f9641767bc5aa1b7d7cf09294dbeb8de71c26bd0560bf4b06669ef8de2a8cf0bca13cee69a7d13eef1b7a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\tndwnhfsu\6f61b0 = c76d89e6582b2269f93e3f0ae84758f40556e552e27f626c1fa40163bccbc79fb51a94932f84cae8426e9e5e006670f0cfe35cd87ea65d49dc81f625f512306c748c5077e6a71f283e20bbc74820af41b3613dbad9bba5f2071cf9a9606b873034	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4304	rundll32.exe
4304	rundll32.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe
2896	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeDebugPrivilege	1660	whoami.exe
Token: SeSecurityPrivilege	4852	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

rundll32.exewermgr.exe

description	pid	process	target process
PID 4304 wrote to memory of 2896	4304	rundll32.exe	wermgr.exe
PID 4304 wrote to memory of 2896	4304	rundll32.exe	wermgr.exe
PID 4304 wrote to memory of 2896	4304	rundll32.exe	wermgr.exe
PID 4304 wrote to memory of 2896	4304	rundll32.exe	wermgr.exe
PID 4304 wrote to memory of 2896	4304	rundll32.exe	wermgr.exe
PID 2896 wrote to memory of 4976	2896	wermgr.exe	ipconfig.exe
PID 2896 wrote to memory of 4976	2896	wermgr.exe	ipconfig.exe
PID 2896 wrote to memory of 1660	2896	wermgr.exe	whoami.exe
PID 2896 wrote to memory of 1660	2896	wermgr.exe	whoami.exe
PID 2896 wrote to memory of 2928	2896	wermgr.exe	nltest.exe
PID 2896 wrote to memory of 2928	2896	wermgr.exe	nltest.exe
PID 2896 wrote to memory of 2340	2896	wermgr.exe	qwinsta.exe
PID 2896 wrote to memory of 2340	2896	wermgr.exe	qwinsta.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02.dll,checkit
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4976
- - C:\Windows\System32\whoami.exe
    whoami /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:2928
- - C:\Windows\System32\qwinsta.exe
    qwinsta
    3⤵
    PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-54-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-51-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-103-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-100-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-99-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-98-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-55-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-97-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-94-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-12-0x0000020853A10000-0x0000020853A12000-memory.dmp

Filesize
8KB

Download
memory/2896-13-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-93-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-92-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-21-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-91-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-22-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-24-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-33-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-34-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-36-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-35-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-37-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-38-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-47-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-50-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-60-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-88-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-53-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-52-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-87-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-86-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-61-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-62-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-63-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-66-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-67-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-68-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-69-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-72-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-73-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-74-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-75-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-78-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-79-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-81-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-82-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/2896-85-0x00000208539E0000-0x0000020853A0F000-memory.dmp

Filesize
188KB

Download
memory/4304-1-0x000001843E6A0000-0x000001843E6CF000-memory.dmp

Filesize
188KB

Download
memory/4304-9-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-0-0x000001843CF60000-0x000001843CF8D000-memory.dmp

Filesize
180KB

Download
memory/4304-23-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-20-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-19-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-10-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-11-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-8-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-7-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-6-0x000001843E6F0000-0x000001843E71F000-memory.dmp

Filesize
188KB

Download
memory/4304-2-0x000001843CF60000-0x000001843CF8D000-memory.dmp

Filesize
180KB

Download