qakbot | 59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35

Analysis

max time kernel
1202s
max time network
1208s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

userapi.dll
Size

167KB
MD5

ce75519a7d251a187dbd7e72b53b093a
SHA1

fa103591148ab8478a84ce25db28ece2e678bd02
SHA256

59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35
SHA512

d40da7049f41ddb6b2e6bb751405385256fd9465101ebcf7af8441f8ffa4733df8528ea6312ca6c3d7e57b1365c4c472215865b978f17ccd11deb13b8bdbf5c8
SSDEEP

3072:GeWBsy+tW4we6Ygz5vEEFV6Q+S19N+sqoi7geA7y9utB5t:GeWBsRE/dYw5FMkj+sNiTA7ptB

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 54 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2880-1-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-7-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/464-8-0x0000000180000000-0x000000018002F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-9-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-10-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-19-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-20-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-21-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-22-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-23-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-24-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-30-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-31-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-32-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-33-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-34-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-35-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-36-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-37-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-38-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-40-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-41-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-42-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-43-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-44-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-45-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-46-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-47-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-48-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-50-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-51-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-52-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-53-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-54-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-56-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-57-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-58-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-59-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-60-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-61-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-64-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-65-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-66-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-67-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-68-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-69-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-71-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-72-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-73-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-74-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-75-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-77-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-78-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2880-79-0x0000026838750000-0x000002683877F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

3856 ipconfig.exe
4044 ipconfig.exe

pid	process
3856	ipconfig.exe
4044	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 66d3c65fdef26185788827bf96d37d6666c849572b47f07593ac8896d2693229f0150dd56054681ddb23a37433568e33c0caad846325bb5dd45dfa97561a5cec24	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = a7454e3cae8494998ca26b8ae2018242c4bb52480d557a1fdceae04e9a5916a56ee73af38ec9efdfe29b224d5dd541e3cb868e6fbd29be6c3f55b27755709c5fcaf2c7ebe970cc685692185d78f770a229dc579568bf4b18bab3340aaf637780fe0565fa4eb70a160d636171826eb01362aca147b9ce1ee548c8a8da6c3eaaedd4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = e736e321bef2d36b9354b1c3fdb82412ac54b71179eea1c3da97b90f3ebdcf78d8ee325331a91d110252b58aa328112f81e1224242d6964e9abe0b88036feee7412c314619c77b1d7f23eb90c054c19c6822d75dc235a3dbcd9ccb4f1b2fe35bde8dc4a98db5bee096f167bee52ac11df82a6e095944cc2b637143cf60620376df	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = 043060d9b83531fa8fb2371f54b29e4d5fa5196383d686f36a0ff34cb0f0bcca7fb27064a787f76699b4abc56160f224691381c8d93c84ab26784c2134bcff17870527e96fcb4aeb92254580a269995674	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 04d1f68d9c924a5ca3c886e705043f1d535b615252c3e2269960751c88714e61606297c91b895e9081456eb376e4b48db294369ff0cf56f0672b380ffcc8a0cd4b48ff207551024a5963566aeb6079fb65de367f40ae66514befd882accc824ceab54c7fb116d57ff6411ecc3f775b25765d2b05b9db1a9c033e93c5e47b46ba60	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = c5abf6de519ecaeba0979f49cac4c000eec5eaa3d1c33d2167afdfb2671a3caa64df8e591b32b36fb915bc382d5c0f7353508281797bc85ad8ce8a5428677250219e49902d9b89b299ce004afde45021f828b34f54d61f76955b5f44bce799f027dcf1d23d4c0c3f91649e043d0a116230aaf89db3aaed4ebd985d4874304826f8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 07d2d8194a929a72a5870e1ede8ea39d163f0e38f3b04b137cf7f1b1249a228e6b99e406834cf2ee4f1cbec63d5ed4aefe4291e1e11c0d8edd1983b990640a3caac9b9e524e480b370dfb6ddb696bf2d6eb21dbeda302fbf58555825de6d4fa6f8c593a24c3f6c42e521fb888981183f32acca86bd557c2caa3191ec3690c8aec4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\8b6bbed4 = 4521b323b1e78def74b63eab2062190f2cea60a0b2aaa2c99b56350d85b4966167a70a4dcd205c1fdd2c75db3382b4ff11cfa278bf433654fe795f49687930f01803683a0fbd8ed06bb2cc87d311982c10	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 24f47fa8793ef2df389ed70a3ff8e57759857d5d0c7b73e093831c97cfddb4d7e84f97434cb29f8a94a4bae9dee6d87db7dc47ed3550d1ccf55715bcbb00a627af	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 66e18c8f88954548850cbdc61c5e0e013f437e316ee4f296fc4028bc61408e6bfaf1bb853eaab9c11768bd1e5f57a9dd6ffafc9277b4f7dff992339ab5c965e8bb51c910e273a92674abda1efece22c82ee5f5392964b18e2e8b36b01a20ffdbb7790da9cded3d4daf66ef705837b000b99f00e8ca914a289f8e948ea7fbb67977	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 8623dc7cc280531e123887ae8730f3fe32836367b1561a683ab81bc0ec0f94ef3de669a571a0b9139332b5c034cc2f3b3a32c37d0364cbecef48513011be08a35e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = a7485a16911ccd9cc6aa6c81f472ae99752119242866d45c56cb4f4191e7c6d8544bb5f4fa11451a1fcbd37cb0a4827780583122780743c9764c547ad5796f16a2b05f5c327c414faf2c587d601c1f3e120726858c3fe6866a52d522035c00e80733b9a674ba04e43d689ecf7bbc0bcb899108e23defd2e6996a3d3087ba7ec66a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 046eebb01ad9f7056a64e1ff13753f546b60f710d3decd2a2dfcdaf67000d0925b9aa3f9f61aee8c6d02e078f101db6006bd6f2d7310114ff785b5318e57c5f43ddb7d549b67b80f48720e6403222f15fb7469ae30e47c89c0f6922ee28a9565fa5ad4210a410f33629093d9eab549b3da1a6f34b80ba7e84ca1a94ba346e7047a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = a5b1abe1aa6e9e6e97061949021d55fb99165120582b9cff34aa7ae4199ad1c3992b2373d3decb798c3074ab452501bbd5d2282aaa82272a87f9296da1e82e37ba50a83554d5b6985bcd541e0e7d9202e6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = a65d56819e24b7b7a16bb54f44cc9e8c7d1876d510710ac9436433b276a12a659b10ae9237f74fb777df961c900e30ae6652c314a0ddd0ab0a0f55cbeffdcbdd5c3625f73e8b45ce71aa2e14a1fa8202a895222ccda8e9e8982bcf97dc5723512787229da933715b61e94a4b021faf7aef838bfb2da8c70231883c109ab7b5cf33	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = e48c018cc5f247a62c1e3210711f167f77b2dac079bddc572971910eb5f81e446f2dff77a86abca27e160c11aa97ad2242b8c15969d5eb56ab9c5c19d2e7e7756889fc4b5bb133fc97dbd481b1117616bcf2aa7e3e41a76bb52892e8ef58a513891efd4390ee5ba72cea373c4b31654f306e07dd780dc2193b24c5d85e6416677a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = c6eeb8b30aeb76d6c8880cd568aca1d68f03342c45de9e4be7753effe5c0c4abf374dbc12a7e75411e401700fcc03fcd2521723b1881d7229d87836b5736b3c0261e7c59a6d9d3d0ee7370f470aa57e60ac14c4895f2ffe24914df11c3c4c54d50134f8f025d2907674bdd923f8515e947323163f1b2d0c32dfe34942ac8f1962c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = 05c67e6f86ffcf51d89bb053d69416eca4ddad34a797b0e23e3d767b8e216f6f1b31412a4774bf6c5c72820a0c3620dfe96e4fa799b996c07015016692ad9deb6e5146b9ecc3ee736eadc5b66f872e204cad83da980b02eb7fb451d895ac7d6c80bc16e9221f52aa639e25bfcb7ddf82621965b56d0a42f2e3685903a82e2fa9b9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = e6bbbf0f784252987e08dd49a417f9feb164b2a69a7e747d690bec36488b2f0723dabedbb61491ba4d62d13a3e19cd6cb50e031dfa2033934570ae69ee92a1dae8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 466e3b41bc8a1c9dbc2c9bcce0541470dbad4a0de807666cc0606742facaf4abea85745ed77ae2c4b12f900aab112648007d34cd49212944b82c686fe6408d37caf42444c38dca44a6531e2c523fbc7a2da32364c50e345ee25eca26466c84329fdb41bbb19365aa6f5d99c5b0ca3f32d096e3a0fd32e34974f19d4034f8992548	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\8b6bbed4 = 85bbeb5b0aa3a72f324d82cb17031c851cbbdb65fc73579339e677276493bf244ffcd6217698352c5189dadb5ed3d901ad527da4c7032ee8f4a299513fa5b807825d283d790ebb246af38c1731ce300051	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = e5c154b021df14ca80cbf4fc36bc2bebf388a773cc60d35022399b3d44142671b5caa409421f4d74f476face4ceb5cd40c0a0fcecca7fe120514bd1054e0f8034b552bd37403fea0cdb2ec49d0b88390759509938c446b1f3c734d9d4cc619636b59a2b8a652b528ba9727be6eecebd47ff99cd5fea1204a0b1bc6f2b0d62fef2e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 6717e3a55b8dff801d777b6276a7c07778c18dd589e07fc1ef65f186d724d715c5fd78bbab5f14561e3ae6c492059abeb8a3a7e9a15729c250755c265a341b2a0b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 2524f8da4846a3da58e66fd3c023e7ed31f452307689ec69b2b6141e9bdef96dd2b832b13f414beaefcfbc9d76dbddce6ab6768539d5b9447f0c1a0cb069f37e16	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 475fad59bcc27a6aa37bb2083fd591de127f4be7a64746bd76d9d3f6e31424a360f72b680c7a32c70caa3e07489141abdbeded8ac62935b7dc14cd81e683d052c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = a6a777966e9b364a448a969c9e56776f19b53b8e9823b97382ca4d148f90768324b6df9ff48ffff215ee4a67b29931a2201a4b62ddc8d98ea16eff8c5a87596c304799ae0c7bc892c77fdbb357131d0d1cb32b39f03671f0626e30bdd5daca320d49cd62551253f269477e0114647301547fa5c9040eef983fc56a54a2f329bf25	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 44363340d3ea8f157d50d2814ec9914c084f4d79e3acd68bb76a1be185a95ac5582a90e78326368da01f87370ce49aafbc46b0189a81991d327b9649b4ecc557cf9ae51751196a024de5caf1f36f7dd4d2c5650c2ad8118cb9251d13586eee743d41e334a5eefa2f2e0aed119574635b08110059985ee41f9d8c174afab4ab7371	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = 04ccccd398627d21f2f7194c8bae997993b02fa808210aa09cf00c7542f8d5471d3d99a7cc0be433d29bd01d851426a4c2a34909956cbd5104cca6fe350953b82c3931f88932fbfab8e598cbcd0896bbf065bc781eb167e682043ddf883f415dc191d07e3ab3c4b9a893ac3dd9ba0b073c2155b79d32083b4cedd2ffae24d865a8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\8b6bbed4 = 248c2f982675dbf31fe3387b192bbc9c588b094ce6b7dd7f92e5ab86059d0172005bc181b81310e9e267e5b01e1d471d6329ab4a240b1563c2d228ae68af82764abb9d303b3baecdd95e71f37826782545	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = e4eda2233c42c25505923c8f0c0c75075a62b46f3bc409e42c1ebe80944d48b78b1450f74a91dd3106a8ad5c8c874851299b1fbbbfa7076abd1c66678092298ee63e486c77d725fab3c070c521697cc5f9b1ef488663ad807bcd8a3029ba11f50c59f17662d2001a8d37382121bb19398bc1021bda95e4376566d127143580ee39	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = c7fbd26f61404347373bba8900e53584dd289c26d8f004186572a1f1c2450465cbdc185d11aade94b99939037c774462ced4f5e67ffe4ca780beae191517470ab5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 07921c72f89b29da95ba50a595c3517dd01475b8e93d5e82e522c4bbf3830f762052fce80a1598b95254aa6f436c34ec2aa3456e4f7c7548ef80045e8abfec9abe285de0c5f8e2aa0f9ab82843fd1987d4b79113e3ca7d8bab839f725d00c00ecd76715240dcdba17919813e7955a7f88a9b88e1e9f5bbbef4cbd7a3b7583d8283	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 844cef1ac910db9e2a3459ece6f7140eee3f2e63cc84d6eadcfd89a3dff2a7d6b26ff5a201d4cd90bd58c9f2567c155455bafd6d093f9ec35137b7bc5ff79a6f5405a09ccf57b3227b7c228d41893640c61f326a30c5c6dfab956c78b8c02dec9200dd6ca404839aa01d5d41d3d32721ae101a9c9114bd992bed4c73d1977ce660	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = 04e4184b95fc489dd143cc090d5ad2c7532ca9db41e17d735e434bb141751abf9fc029d85fd7b40ecb9af92f4a7ab6dd4a167050ed6e83ce6d65969d5d2608c893de9d93c02bb89b7bc41de4a213ed6903	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = 45ed90bee8468d01966e78d6442a2d736f1a9c8b18371c26f4de561e2715e39a581a3fc34438d976d0650a59062330276be8c40cd20049821db731741776bbcdfb40ab47a97fa2e6293710121a20e987c79b17332aea2d04e2f104e89464647e3821fe381a37fd730611f533a344befe7ba5c227b7027d1ff3b3888d28ea9a0b51	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = 677c4b3516a2fef60b269fb5d0e909c4361654eed48c01a0310466af08b56063af89e2f531c94e5058517e21a73a25cc777731231faf431b2915bbb9bf32fc117b33f692b7049911494a831a4e811b13a6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 65125bf7b94c30cf19324d5d08bd454c1f0c28ad6f94c0c29b732e8667153ee2e3c5e88214a8a5ce6a00039c8b3a3010f9eaea2b76e6c28b71992db42482e23d3eaa91f86a96e0e82e8b40085d15f0bc38ddca903e27c5115bf2eb2a27e0aefdf1ecdd190e6ea9e831f48e96f640b424d46ab30c35f07af3903c4a7dad08ed824f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 26ac88695674899b68853ae1ea0f7b4d7fc71606bcc0f401cfe7fbc21be4fc4767647cd3dcc8fc3ab6099dfa1eba423bcff99d1a4f1b7eff21ae9fe07f68204f50d40e45ee4c1393d26c2aefe3fafaa9cffa36349b2ce535e19c3f8fed99b7144ae05235c296b734a4a04354261376e63f4e05a53c3e5e0b567f3728724a00b6d1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = c7fd6f5779dc148facafede0bef0c1e9a04246f01405117f4489cbd6d4d0f3e153770a9dcd3a762bc43e1b4db7e499539ddb35b505a0e92d92b5feb4d2b97726bcdb6260cc54387e7389e30e8ea792425d4a306e5d81073fa61db9086a614cf94b4ecf1d9803eb2e9fb79561113d4a283e3238f28133df76ce2b78cbf197224789	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 6472759915de2e202dd04c3beb79b092ee1800141e8c99b154f949b5fde47e9da62cdf3e78aed0eb799578ab181e0ecea660adec2797a06d326069856d5511b44e42ce34c57d5bfcb7464ed579236f4e9d18d194ea4e30b5b2a39b5f575ff7373670cb52feb8f12772fa8d20be948c628dbecb4123b088e6e631c262c4d15ef0b3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 642d1caf3cfb4c9e9643fbe3de75b6c9b9a984394885c5734e0faebf182ecee279f2885423d97e42a0db647759a518401093356b27c2402bee3c136eb2ab4380f7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 85f1be8d9729b99f56860a7b6a0f3d16c1bbe93a92eed527b975bbf8bd922806b92e9880a39dd45b0c2e52787858d2a7541dd45608d9bf557832e81a8014fb6cd14fdbe2cf873fb593d3ace323286db6ae05a988a597f4db7c9c88ea3ab4627bfa661196bd830d5ca445e0a5bc902b87f8248f79bf8c8a9233b84810449e2083c9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 07d9087fbe5d0c39635572cbf301a86999257a93c171361a0e92d1390eb89e211af79bf3831c5204bd4e46772aafb94032fdc1a1503394aebbc492cb45f97da7192358322a7d9243f06da93f8189f1806ddf95be1b8b93acf2d89a23b01c35b819ad97b995ec860a480efe3984ea29711c1eded2f4dbea07ea34d3d5448f932404	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 06cb20c30814cc53ab4ef4ea3e4e7798836bb13c3de31051f0850737e28ec74451cd87ebff453fea08d0cbaf9dca9fd8fdd8a04d2f56d1e32f88b2ffa715992e539a4e759092a2fe58e1e4b275ec1f0dbe45b80740c60d8765f5f0281781f2a10905ac6f661577cf1ce380793085d23b1d16ec057944b757f167388b32c5058175	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 64516105139357e8ea51e9239614b7066aa377e9b0c89ea5f0d1008f26f771ce49ee9c7d17f8d6c0e0f7a215251b44dd69f76bfc7ec0b2b2d6e151a0eed4c4c8184627157c4ffda3d452356165480fa1a64f24c0b77e509c0b768a350e89c95630bce22d38d5728899abac2dab85cc17a598165cc6173461dd2355c144f2b92d35	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\8b6bbed4 = 06c155ca4b070f259ae6f21a9b44ed295a279b4482270c5b4d29db2bac98434d59cbfe87884ba01e01361d86aaebcc7b6c701d13fdd36ee220a436e171ea867c2bde3e775fc35d2e744cffb05746b55ebd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 47c9b9b62862a110fbf1625709b4b1a9c24f802ec7ee61ae3d2cf80f1d58672c3bb7959f4107c64161676dfd916444984f0388de143621b8565d89dcbc07c6d7d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = c40f1c8f17eb562da1f41fb5967e6acdc70135d0e32b9bc8a8121943b1c12e1b81c8500f7854bc5d0e000fd2efbeebf6c12fe2e119ce1363bc20e5fc87bfc1c85e2c050350cb7c436906814300976cc2a4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = 062e4b7eccbbe3aea5cc19eecaaf360ff2ceac03bf88e3835714dfff99d32fd502c7c699da22528b143cfbc6843e87df6ececd17c391f63c7f51dd7e0bb290600d7a195a6697823a343c65a4f6daa7b42a1085aab413bca5d39586117f2f318773db421fc877d041bf0848f41835f5579b4cf86452a8c8f25524708f6f65b48668	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = c5f4bab742abfa86437fb88a38785dec5e7ec56aeff3243dc0a181702f25e41b71aec8c0e8e8b8238eb64727e368275a3a60017cb782d7ad1c14f6f652b44867f6480e71220f673e3f3c4c2cdd3c9ea99e82a6a9c1365baeb564c4e7ca16369f153b748f06968cb6da35abb63a3df9ae6fef8bfb55a806648ad442fa82f835b378	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 27bd6326855be278bae6462ff35e4a3fc51a0bf44bb7988dca4ecd407eb2d9619918d46846987faab1121d81b26e2bdb0dce2d6f8c385112b954c68938066f0122	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 665bca9bee1192a4780cb6c090621bd89ee1c7fae62d9f0eb095c211528e81aca380cf86a3d0b8637f659350e9b124f31362ccc3af07714056886c6aa254852c5d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = a5a804940b88f3fe433ed518f038f6628a885b3ce044e1e80cc173936616179105c1246032e37b6cc5217207159d0c8c84f55cdf7bb3eac1de92146a19864ac48712a63535faa581e617bee5e49ce21564868c8b1775a28f8b1311858ee13f624afff56f83d97eeeba1aa3be294d0ba2d712a7627df153f70da49ba35d32bdcc80	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = e78eb9ba592edb8395629ac180d65e03da6455ffd87ed0d44ad5585641f0758caf8afe1c9dd1fe11f6c4008fbef792c1607f194bfe197c7656abe692b3d84a96ab36f01ddd16c4e1cd865d12c64a0f06c39a8fe3429da0261e3cbddba9b6b330c753672e4807b6b07c27d9f393e6010a867e17ea07efdfd23a4af0cf33818b6940	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 44ece2f2e0ff9395498c88c16f1c65c196b71cab22affbda651093a551ce87cec9b27fa678033fcf1abb2ff71d507462e272baff97296c7efd9c5baeed5f3c1382d4bd7c16b9bedc1bca88276c87e38dadad4ef624790bccdc8589c35ccfdf4f85397f6ba55a6255be25227ec17a2ad7d906c5eaa9c42a692809643b1bf07106e2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\721ddc82 = 07cf9804c338f93933ac4a2b6ad8260b0968615f0fa6e68fdd7c076fd532a3a8b6fbd69a762c6ee7d4620473bac5a9156a4937c706323db3cef87eb1ee806288cb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = c6a9eff7208275d5f306b533ee489e4b33f089e7179f55d4f4f555403053747e95834cdd275e6eef41be3b1d20ab80f15e3c82794b8b8de823cc6836bdf1a084ab956a218885363a19425d05299b0d9abd76da2938ea59e74eeffecc3837ed40029c2b130a975a214e912e4bf6c9869b470e753f0b42e9fd669f1361db724b32e8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\6d52c7a9 = 256c4649a2136d01838edb06570416be0fd022b45c8ed9be76cc55944d89380263d04e3dc134d5e77e2e9735c8ffef45af1c9e31611ba6fd8b84ac88ec05427943c71116e347ae681f2f57a32cb43a8687efd3f7b1b630e63540f993b1d858e9ac48730eeba5bf780830b2be2c570f47dc3dd9782ca867746b8ab8608cb4dcef9d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\31bf8678 = 444bc14110071ae92d6437d17dd3320d42f14ec06d030c1aa2e382ac3cf977dc83dd2e01c139eebd7a91adc9578a9597b49fda9b7c4091d8c62282205f4787e1ddb363abca087072982abd006316837d7d603a6f38ce4f95b90ef431a1ecc139358014408d7b4e4cfdbcbb44be0834b6cedba64ade4ca4628b0f19db09ebf53932	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = e6b12ef9303ba9f6bdc83446a8c9ed721d3a8271e74a77dd4417d050c24a0ce51d162fc15259684114799fe89e0b0503ac2436f6a8b1ac4369eb32f6d8456c3be0edd0c38f0b36c05596e732727c9bb792802afd6028877f13fcd573c3d7c1a7d146539537e4228829f16f6f869aa31f820733f2abd0f313f1d0772172c5c4cc0e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = e5ffc81bfe0de4c548e657bdc934901d6484f92b8d035a1e009845653b7fb01077c4128b58dd2571fba3b020fbea9f37e9f25d0c062b5442afdf47549a20c2e9dceb4c8363e1c69f6fd5254867e51fff6f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\9424a5ff = 6659b9ec0c8fdd79d0c91995cf5faf3c9d11d2b6047e9f7a5479cfab5defaba8bf73414dea7f06f3506481abf36f9616b2932fe5fad7bd0f96dbef51a471dd4161dd25b012ff4566f996ddca354a615a6e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tehsburilcixap\1aaba21c = 47ec9fcc702d78be301e3de3e6d6818441bdf0ab4b3bd9d4ff60fc27d13f505470aa4f1edc705c86894ab147bfb396a20d314fa05328c3eea4c3fad723d013d7f41c502c6e6883365ce329501a090aff4bcbe815887db03f9de8e1a8ca23ff17c5b29bd36c436701d25bc52d7e384c351b050e77878a5bcba4bd37c79154e38f69	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
464	rundll32.exe
464	rundll32.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe
2880	wermgr.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

whoami.exemsiexec.exewhoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeDebugPrivilege	4072	whoami.exe
Token: SeSecurityPrivilege	4968	msiexec.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeDebugPrivilege	2076	whoami.exe
Token: SeSecurityPrivilege	5104	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.exewermgr.exe

description	pid	process	target process
PID 464 wrote to memory of 2880	464	rundll32.exe	wermgr.exe
PID 464 wrote to memory of 2880	464	rundll32.exe	wermgr.exe
PID 464 wrote to memory of 2880	464	rundll32.exe	wermgr.exe
PID 464 wrote to memory of 2880	464	rundll32.exe	wermgr.exe
PID 464 wrote to memory of 2880	464	rundll32.exe	wermgr.exe
PID 2880 wrote to memory of 3856	2880	wermgr.exe	ipconfig.exe
PID 2880 wrote to memory of 3856	2880	wermgr.exe	ipconfig.exe
PID 2880 wrote to memory of 4072	2880	wermgr.exe	whoami.exe
PID 2880 wrote to memory of 4072	2880	wermgr.exe	whoami.exe
PID 2880 wrote to memory of 1104	2880	wermgr.exe	nltest.exe
PID 2880 wrote to memory of 1104	2880	wermgr.exe	nltest.exe
PID 2880 wrote to memory of 2084	2880	wermgr.exe	qwinsta.exe
PID 2880 wrote to memory of 2084	2880	wermgr.exe	qwinsta.exe
PID 2880 wrote to memory of 4044	2880	wermgr.exe	ipconfig.exe
PID 2880 wrote to memory of 4044	2880	wermgr.exe	ipconfig.exe
PID 2880 wrote to memory of 2076	2880	wermgr.exe	whoami.exe
PID 2880 wrote to memory of 2076	2880	wermgr.exe	whoami.exe
PID 2880 wrote to memory of 4648	2880	wermgr.exe	nltest.exe
PID 2880 wrote to memory of 4648	2880	wermgr.exe	nltest.exe
PID 2880 wrote to memory of 2184	2880	wermgr.exe	qwinsta.exe
PID 2880 wrote to memory of 2184	2880	wermgr.exe	qwinsta.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\userapi.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:3856

C:\Windows\System32\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:1104

C:\Windows\System32\qwinsta.exe
qwinsta
3⤵
PID:2084

C:\Windows\System32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:4044

C:\Windows\System32\whoami.exe
whoami /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:4648

C:\Windows\System32\qwinsta.exe
qwinsta
3⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1228

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4108 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/464-8-0x0000000180000000-0x000000018002F000-memory.dmp

Filesize
188KB

Download
memory/2880-0-0x0000026838780000-0x0000026838782000-memory.dmp

Filesize
8KB

Download
memory/2880-1-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-7-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-9-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-10-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-19-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-20-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-21-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-22-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-23-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-24-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-30-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-31-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-32-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-33-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-34-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-35-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-36-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-37-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-38-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-40-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-41-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-42-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-43-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-44-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-45-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-46-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-47-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-48-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-50-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-51-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-52-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-53-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-54-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-56-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-57-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-58-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-59-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-60-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-61-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-64-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-65-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-66-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-67-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-68-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-69-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-71-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-72-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-73-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-74-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-75-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-77-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-78-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download
memory/2880-79-0x0000026838750000-0x000002683877F000-memory.dmp

Filesize
188KB

Download