qakbot | d832c8f49706ff93871a111be8fb280caedbad5b368f801dd720c7786f872e86

Analysis

max time kernel
1200s
max time network
1201s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
26-04-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

64B
MD5

4a5c0851841d5f1927ba79b7307a77f8
SHA1

624765f7ddb16d57ba10b053d06c720d304c484a
SHA256

0e4e4ad7098ea7deb02d5ffaa3e08c89e44fa7083caef8e7ddcf13fada1e2f9d
SHA512

64773939e5545c896a82fbe1629e7eaa5592b1b99e28aacc28666f073b48c743376dd3a1be6d9cba70f9bf19cff72e5c77869def524bde4bf050c593d9ef3016

Score

10^/10

qakbot tchk08 1710958492 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk08

Campaign

1710958492

77.105.162.176:995

31.210.173.10:443

5.252.177.195:443

Attributes

camp_date
2024-03-20 18:14:52 +0000 UTC

Signatures

Detect Qakbot Payload 53 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3984-1-0x0000022A4BA10000-0x0000022A4BA3F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-5-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-7-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-9-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-6-0x0000022A4A230000-0x0000022A4A25D000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-11-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-10-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-13-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-19-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-20-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/3984-22-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-23-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-21-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-24-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-33-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-34-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-35-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-36-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-37-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-38-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-39-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-40-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-49-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-50-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-51-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-52-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-56-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-57-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-65-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-66-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-69-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-70-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-71-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-73-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-74-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-76-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-78-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-79-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-80-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-81-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-82-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-83-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-84-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-85-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-86-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-87-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-88-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-89-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-90-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-91-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-92-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-93-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5
behavioral3/memory/1636-94-0x0000025A08930000-0x0000025A0895F000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4968 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4172 ipconfig.exe

pid	process
4968	timeout.exe

pid	process
4172	ipconfig.exe

Modifies registry class 64 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = a554bb5eb7ea64683659a734253f7986d3cf05ad32dd9b1bd631f48428011b571af5bc09209115463fda01e73ccb0c209955c89fc1ad94e85737db6cfb3b084d3c1ddde377029a25692278ca2beb59ee2c5eaecd2abfe510c347b5d71cc2757150	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 865c87da29ea36e00332c1f39f393d3088c016dc39365666e515ff9e393c27a5b8c46b851290735af664b0db0190eb8f2159427b2a6e2c87df80ca8e2b33314fb64227f5424b3c1e514e4c49fe5271b64e41806b952c087dca0142557c4f1449aa582f448310f649dc0de8036d865fecfdba0090d36daeaf447108ac2e19e646fc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = c70785d346b8bffe5b379bb24d2a2f84cb3c62213580407374dce86b58b0bcc42c472dc763afbac85ba6c22160c8dfc5833d558102932c1679a8d0edc7a98affed	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = e647b38e1a23feecb1dfd1684e4d4d70c75e61c7daa5a863305d5f9d455e5bc3c2ddcb84359fe74d2b731c57a7b66928f4cb7cf420571e676f45ccab8792c9f009cec2607b63768c14e594c04c4faa5d880ff604b1d433f3c49dfce234294c56107c9f552f721bc299ee284756e18fc33c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 8557ede415f7f35c778825197c24653b362244df238cad1e2229ec08c98924b75412f39b5a5075b3a9ace02bc3ee8cd2e7722c488bc19c6ea74869515850e484b6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 64117e0f488ae6dd1d503700837c6b22346be0b59f49a0621b4795d25efc8489ec5be2dc49ac77027e05fbc052d2db314b3127d19f3ac91a495e9373a4426d24636660ff53102287b51d5710afdd9cba0bdf7b0a7f63f622b37085d06db8eb4a5fa98a9aced2d311676b8ecfe7898f200a257ada5a2ae2cf0e850546fee900a864	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 85aa643d7702c4db07e72e056fd47d5cd544d1457e9b812188baebeced9a50c737069b7babff8b7ace2fdfbc577b4a216664a8cc04a367e0e7d8a10db6fd31c810c687bbb7e9c8e42386924476cc4a1def2209ba280c3164c49b737a4b0446ef5502e90971bb42b2356cfdb33d443e821d3e7dde11c1568c4abdec4c74dd720bf9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = c684db9dd37897d5f1710fc8dc288338342fe1b9fc7b0643730ae082a92873ebf5a0c850543f14e8e846ff5fc4a05637cab1679664f70e2051fb1342a812c919a0ad24e66839901f4dc3aa4b84f906127e8db6e253758c0ebe3e87ef72493b4d225a7cdad6c828b12e98bd70b0f423f7a79748f81fb821c4fd7693fcaddd0d7297c48df50779547278011c3845a88d3c81	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 2686d11128a07be9aba9f56ddefa98c79abc9816fb054640f6a6585c3c43e763cc760495910f44891301d06fc89fb44128e7a091e4be6a502e1ade06e5d7b0c090afb6606c10e3f7619340fecf337265df1960e100b5aa8300f4891c52ec1699073bf2b7efc28c0c78d4fddb6376781dce	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 47ba47f35cc26f8a40768b8dbc89df1bee79b0bb638732ce4d13d41065aabb4312282644ccb8c0788053e34fb05432d476a1af5f6d02b99be9da80d7e6889ffa4e3b05fcf16b94438e4a766afff28dcd10eb16db3fbec8d1a22f999dcda635c3a449d633ae1b6aaf4a561eea9e80d802fe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = a5769e83800536d093133fe3ba37b334b56dc4fd335023929c7e4078b298d913e6ceffaa46e3f2973c3a1c791e18978dddee2c8b984fea00fa8bd89668c170604556aa99e362326724c078733087e12fa37763902c3885b98d244140553ed506d3706655781c126b0853c11c61a0c66734c08ddd3b8cd21c8b6d0ee8a7cb1352b0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 8497669eb809185c35c77ded0165054c18088d978086715d8e578c1a461334d93e9a972faf1e12e0ec3befa6dd919deaa4a98071bbb1ae878a0578b57ac45a1961d1139ebc1ee739a7c2bc1a883fa7b863bcbeba9eab26bf6532e1c090a008e35e466b7ab67ce6e1203adf24551fb60d4d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = c6c6e6233b691571d5b3aeee4e22685bed18b5465dd97d6db5370063e0421a903eada1acc2ce9c43bbfe4e2197b97a3937827ebc47967d8e674bca2845500b935c2a35962d8342e48033e77a8a02f878100eb5b691876df5199d3ae317001907b041d4d852706de44154cb7534ffb4766206cb7f1120471703a8d51128a3871673	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 05a56c549986436d0f20162e3805b8ca681bb52dc3dfb4ddadc80d70a445be79f52ae3d8c9da94a3a6b6c0a1f4de509aaf206cfcffb170fd6ba4bbc8085658f1e2c04ef42416f0c2fe6561438a1b6a96adc355635329b6fce624ade57d4e9c8897	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 261d12ecb87ca570e02e39675325c9ac86fd5fec1ae882ff156027c8f9ec21d231de6daeaa47947d86015dc285eda38368cf34b61093fd53ca060957fd1c6a21b93f7c29a6903bf8ef9cc49035feeb7d8154779722eb0ee19b02808c3e7afa37951f769e5b06838eb10667850a1d7f4b97b72e6258a47dda804a8de296cdbe79c91a7e2000de83383d85855b03a0caaba4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 251b50edf8ae403b5ea07e4030e5c57f5aa00ac6bf3f69132238e2c5ad5e01792d48fb72d63980292398aeb295736c84fa88e0a12fb064c5365c32a9a5275e480d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 047cae546f65bb67a46f891fcf6c5f6b80e55ecb93c181c885cdceb80bacc01d686ae13d606fb46ff17b14f6dc6a8c912613a93ffaaf35c4310b044747409c9f9b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = c6944ef28c26e75e3d4a8f258b6a4d65aa953988421c8a1b848a8a3b0f1e2728b12ea8a067bc52b33d8052598584976414bb8e47bd9157934435df99988683ad1885c30b55f3eb0fd49f5b5bcab7df935f9152ef82971c2c1026d8e7249909df3695c027f5084895577bf430a62f7c3dca4911c34a4c2da6e37bebac881de914c58b95e174915538de90d251d60c5ec3f7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 45b0d885e0d72155c01559963ac43a1af051f080260f8a9bdbbbe341de6d8cadf27ad2213f2cd4d2f3141343adbae62ab589d26fb4ff3fa8f36961fd279c54270feb5beb1a14253f635a8e0c0b9836a0d39074b2eaa6924f9ad95fd413589f666b6f25fdeb81de83d0f877d07dd9c4dbbe8c41125a958a491efdc69c529746bfde	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7ad68372 = a62cd4db5d784b229112e9b1b22676ef6c58a62c249dc76b99c1fc572db8665cb79eb574dbdbe68c5ab5f84a0868033890	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 253e32fd140064ce7a324edd353f165b9b202cdb2291cef2e871c810c6d80d9193625b52439ed01e3862eae2bb49e900c5868b5c43ca6e794cc01a0e6866e04d2602f523f0b24a848429755c20cd016246b23f674b8754a7e3ec4a4d677e55e8f74114c630cd4c77eb296582a2be060fdc3c9f6e6f4d41752ea73ba3ee68f0248c1c55982977eed3e01157572b313a8752	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 8468275d199f17fe7bb9917e77c7982df1a6cbdc51ba5ab784dc2934e7fbf5764136997b9bff03013c03329dc07a2cfbc718a026058e808e0eedea355036df5017226beef069fbd337a1cc054a4bf35845bd2ffba297d508425b147c1af9e1c5dd8416a7fa5c77beb9c300833254b3d26c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 27c3efe0c25f417267106a7e4b2f288ffe6f1b660f830dfcac2727572b556401b84a8030692dc32fa844131da8d7eaaa341d5b455ddfebd40a5c06759255c042bc45632c56b8ad03f98c706bfd7ad3484e9cccc341f53cd85b8871a61d8aeee292c719f95798121c89c02aa12ec7c9ce88	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 055d39214234c018c4e786d08754d8452a8936ce14c5df36367890a3d59904cfbcb6280ac333651bc434b61b5d23c52db0a4f48b4120da6d02478391d8ab77556fa17a15284f03eb4be33703bbd36bf713eb26fc502c7b98f10b6006c0cd22cd5cc6bc1e94a1b8a1ec9a3b72b5f428c918	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = a671ef3bdaff6245cdb4ceafb25dd4e8b1f73ddc307b3326d8b4d38233bada59c11c8308ac3afa142ebfd1b1ffbe94512abddc04d517a814406c62b286b6093fb2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 85bfe63b594eb9441d2d774ebb276ce6cde8264cba1e1a3b873a525146cb67f73353e66ceecb4be9db5306367242e9f0c3fa45ae27b69f24e2b646a643a2dbf8d11502ed4264e32d3c22193a24c5cfa5aca01528f332b9e9963689b263b2e570e52bf5eb8090c1fa4469091162f47e5f1b34f52c5ee2435d0537a6a431b6141253c6db2d8e9b7eec0db8ec3aa36cfaddc5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 45b7c4d0511217830661053a342ceb9054e2324de64192f2971652d47670f6646d0100733ef88df012c066b1328d765e124e73555780bbe5040b9ec83392d60015fa7d2ef943f72a615d7536ed0e9b5f0bab179c55845bc77c45dc31874ae6350f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = a528bc56875b6c6c93f98d95ec427d7a5e0e399fbd4a273f004c1537d69504127160a3dff91c0bf02726b67fedf8e17b0cb50e346400806ad679b73d333df90d705077aff0ab48402ddab3380d9ae79d8d7165f46bd941c74845ec640ac4d90f303e95174b256c23854918a272ae12f7f527ea5e56e1f7d7a80c9af510caa4707e232ebfbc7227c3eaface17f521b83f05	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 4401bcc3ba1c6236cad10c05a7edd4bcd0e9ec63b0c56863799234b75a8d180b4e1eb5214499f2a1feaa5f81e7f837090bf240ceae161b34bb8272ab6ae45dc69a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = e763b6759201f6d77c6e5ee3798725088a2a6946808ca453da880f137c48ca00e3c59c77ade96fce1656a2c173a0cba552105eb7110b822e35fa09c7dc0cf210457142156257fb5d2d740ea20340d4a20f8051b9afa48648d72636e87a102bb400b7a3e42815ac7b20897092b64784cd72	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 0421b4e3a52a63441ce1995c2c6a8e63bc13abba8063b5688765bdf8683e1ed55eb5fda09b72eaf562d1b6dcb34eebc71aa3a1800bf1d6317b883b010ac7a94a07d375aa160fb578c73ff998a69ffb2c867bbb4e48306eff1ae5d6eb664d8ffa0397cb49d68cf4bdd696f978c0c7435bd10a066d6b19418ac227d862d1459433ce30cabc83323a61a490a5993b6e95f1a8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 87fb4db2e6732e37c69f67780ebbf97ef308db3287a25e06ee55ceecf853b34198fed954ea0abec58e0c8cbfc487944ce8c2b5705455cdbec26fa71462397abc5b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 45bca61a921de28ac38201c451b80c201400a772b5bb4b3ff965047f5e3a512266efccf2c7e034494dc6b8bc47552d9ede05cf7d7fbe023e08211424c6fca77484	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 648b5b40956368c12dd874676f4424e6b034c6c38d0230e345fb3933bc62f9e1441e393bbf6149acb20638de964ac5ddc8ade058ffe308ba9a985bc6e41cbcf9bfa447b84724fe2bb582ec15310cf61e5b5ee98815dd9aa2ec3f6e4e700cff90e0dd7ecb5730c9a39720ab1691fd83df35415b5ba3ef3c7d871182cad0a731431d93b55fb7c385c4087baeebb9ae649d8a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 05f02b0759a5ceda7fa2a0029a25844699757f8a325a103ff0f7948958fcb43bbaf2328eea1cc8039e2406b9241504bdbfdf6627727232ea84b4da7aaeaa4fdce85e93077c3b7ce0b13af76f53099aa4bfc6aa962759479d00451a3cc278622ec66063808ef8842ba06d000ac7d67dce80	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 2618999405cb903b52a3fc2fc40f1a947618382ca0ee3ba89c2276227268cd6b9dfdf12b94e998f0b7d2741b526455c84cac4b34526dd8444c65ba65dfcdc86b1e3b031dd8655496fded0745a8af48e713a5b30044768e192950423cc60daa5acc73645e77bf64a0cbe4c96e51c453dcfa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 67b242aba3d3af812ca785dd0d6668a0a37162c7865dbd6c956bf5445b2563520873e30a26da64ef6f38609b2be2b10b161a30f7b33ea9a32812e8f29fbddd605e38e107a228e4d900825df623232f3abc57afba2f02f3e5747f0e3c0371469d093ae86dcd3a34757dafad0d4d1306347d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 25f9f81af204745a4246415d32305ff51e652c90a303f0f0655a110ceadb8f4521396ed815363736db77e4eb0d7d959a6e71c327916cf7d913a40353df0750d6c688f4bc41e744f97fe2e6d73d7e539e3016fa6f7315ec5f2cc98533219181d8b45c942fc1bbf86d3bdbe9fb1f356c80444646249d966fbc599806b777f6860759	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 442e43d4f4fce8bc9011ce1918b0362992eb4b0547f3d5640cbc6dae78e0315346930b92f9c91c786b2dc7a70d830aa6c883d257e9254e7dcb8047fb4470ab1527	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 24c3ab77be6815f297751ba6a987e41f739baf02747469c6c8a5b903ba85116f99905923659111c889ee838799e8f0bce850ac1bb3f08f77344c19bbf5452da180	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = c4c54cc93c76a82986f887b747fe1c6c3b35c0e7565ee7e8b9ff923cfaaf6c926a8f927c1a777b2836a756c2dba6d0046a1485bb869671d168344ad1156d1ee0af94ac82474e50b2cec4d49ac3b316667a114f9986f414bc52df4b3766f1ab9bbaf020ca75105f6939851eb1254e9dd27b99dfdda8942e8ea01adc4ef79c6287814f1dc9382acbb34ba93973f38a2b8bca	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 84afff2af0373d27e60aebf6c6fa36cde05b4daf07c50dca217f7406836d7a5f95043259bccca89a1c399de4799fd159d5c7ae9b40fcc2280b6d0954135858404b4052aae422a758447d964d20df8a8d6dfd676ffd846a5ff38ccdea226b598eaa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = e75c5470aca2e6b413ac933c656b9f112ef1eec2480cb3ad42e7785c9d16f7b842524603c07e151d040a03b1c5fdebdf471e9f5c93a2e4abff08087b3e785f1f75b5a890e7bbd9a886a131ffc572946027561df3cab1673b35283cd9aa75341cb0ed06453ac5da3494ac93dd2c0b703a1e408340227504c00d4f343a501479990b55029c21a65c0d5bf3b33e83d8ae7b5e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 87f072b2b88d1f13d45004c5839c6f734bce8580081db94d4ff2a866f841c6723853d4a1630d1b2deb20fd082e4def58c76f74d32dfc37a59407ee24e4e4c234f709aeff29eb38e682ff36a3888d74604e6d289008b592bedafd3651d6c129c6b5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 244a8d26ff97bdeb772ea85ad948643cfa2060231d80a526de8e73bc1e052536b4963aafb619a1f633916c1580474dc25e19af0b2c3bd96bc29c1c4ff19935c314d5e6ab590f0d79b44d6b6ed43b5e2c5970b02fa244570b909c1cd0a75715b3f1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = c40357bde37b53364e6fd171bf52ea8d2cf435af05a19de0d5bd7fa6fd9975f2bc514ad9ad0f3a96dbae2c252e5566a74752567da067a6763825714635f9446b1add798b49a7adeedd686a3b284c6f4da4fecdfcb8afa3c802e02d9ff36d5772d3ed379e9c4d73eefdcf147119a93d390d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = 47b76dd3c65aec5292b9c59faec76b962d88c24681adf57f91cfb47a33c8f2cfa6498335aff7425c7362b4a182a8b814bb1dc2fae301bd4c69bb49fb7a3caa4f6db224f40997095b4a17ddd6e5b019ec031c63a08db434d63e70a26028acd184e1800fddaa8ab16ff72e6e6734c6faa52d182e0326d940ef21a9f6f046d130bca6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = c6e98040e599eee6575f01319bea20cf8376abab4679a09235fcc739549d67092695c18523dbe86f604a0e0c0c89388828849f8bb63cd15760a321e513d5453194a0001bc68c59ee76bf8cc7b1a014b94559e3fe257e8359624e67f7bb07e695ff1dc26803d62c8b7b382b6705d3022184	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 86d4b7058d4e2ffa04ceac0a43d62a72857db29cac3307baf8b1ac1eae5269a676b2827f0f67cd9d3acd2447c6ba1c428a56ffa6bd653f95e76c7bf3badda273b9788117ca2343d2605de52a18baa68b774a53eef784083451585de21c4db99196777e43668fde43a10a464b498f94fa5b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = 84fbb184eff798bf59cf1ed077249d7da57791ea798dfe1eb66990fd134a530a85c0224d7b41309d5a93bf48f11f7d863e8f3446a020734f38cf0050542e40005d9793fa2f7febfc8221820bf3fdf74aa0f5a127edfc0d9e634495190da97b90f84c8eaffb97192385a3b02ec07ee453a3b3914958d6104c1896df6d83ea05938bca2ffe5035c22bbe2c8c2b96c3d2a47d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = a55fe56285772cf3223c72d033d1da1b6b081e315caa2355b03f8d48037472465152522dbcd36d3051a1d37aa0dde62c60bbd2dc5b15574037b3e2f8c2b6be0df1ff68b8239e5946e1096346302fd25467a50bd227351d1114428efb496fc77d2a08eb0dfabad7eea35dbb9d37fc2d5248	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = 47a94c7fa470512f13d8091f686faa7a4e3b3025b0aaed12b48101ca9429ce77567408affaee4918809fd4234a2dd8b61ade0a70933d1d06df6f05e55876696ea6c49a7bbfdb4ee64c4b2b9bb0115cd9c42da6df5a01c87026b62dd5d9763ae582b77296c34a96ce059b907d498c9e030d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = a748453b809ac1f249c20371b41b9875f700b103cb2fac3427540c5c90dca1ca9a1729ed6ffe16367c7d4a518ea6cb4a51b2d1dd897aa4c5f97467b73c40addb86a065067e27c120e17600373ff1674e20b34bb96e1d91e7723ca90bec0f6d881a60e81c8fc054a6cda9feaa3e9f5921bd4550467ae61ad6b1e49e572790109345b4981418cb0c03b541c0efec7cd357d1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\e1d396a3 = c573779818e14440ad61b760c090b9320dd524669d99898789413e1cb2fcc7dd7c92f517eade31b0480d475040184283ecd0ac4c09140767d66fe94a98b00e026f46252b61fbabe9ff0a27af3ca6fd212dc4408ba6d5f29a7d7bae480fc7dfb2dffb876ea42bc0a3ea08d4084457cce1c8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 44c9e559f9b3575805115c23f10c8affd793919048e5d5e8981f8a9b187d01d5e5e7441f84aad9d24a01ea0d425cd4b9e1b841b4284427ebbea26640cdc327c842	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 06ded531c23e12945ff4a58083af021eccd760dfc5db328b71241d12683333ff6f245c8451c5700f3cb5439c8fee3879fef23b37cfbc8e5961d80919dafe271bad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = 4640fa7a4c78c4a51107adba39d3ba99f9369950fdc19c05b94cfc658ca43b7c89419ad1ce07561b49c459f4538463e7da81f2d09cad0e77c201dbf6e214995d1a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 87b13a4c8b5250e52f8d28443044de21085ab88a349c8e5cb74c278b81ef7022502394d17e2173c074fcf5b160c31b032376ba00a53304dd485be49f75c4c932569308c95abc2869f9860c857f3cab3be6f5cfdc6f952fb3f819cd0f63d25771d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\7eaefde = c7ca02298f4ce7d94ebb762482ec066f9d010207bfc7defe3393e7b4b30a2cef5d7b629c14c2e68467ff0f5f371e14eb0fbfacedb549307978fd5fbe6993d3fd0d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\18a5f4f5 = 87a00c13df5bbf99622bcc5b62d98167c60417752943b4441fa02dc566e28c7e55dd9260a86560e33740b6fee0045741164eebb8f117c7556971e3271923c506aa969bb4cf52087abcede08bbfdc11c4aed869046128bedc1aba04e31b7de6ef3b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = c7aeb65f18bb35e5af182449ebb4aefabbf00fc40eddc73069549216ee1b4135fbc1385c56471d780cc5921d5f34beadfe3fa47a97106ba1692d32b0f4c39aa5c25fc24377be925b9b270e30b18fe20afd237bd720f2f72b8563a3fdb8c62cb1ed26874fcff6400d99189bfdbc7c517fcf51f4705e6dd0e2026641c95f3db6918a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = a4a2ac6722bde990ee8eaa50cbfb35c37315e0d9cd089e8e25124713f81ecacb02dcbbd6217a5ff2897aef182ade446f9cc9d831fed31a9c60ad2a0d770a7d1309e36d13c50020306f30c332779aeaf04e4b4128511ccf2b06dcea6293a18755fc3c227bc5928633d33584b76ad7f63ce30e30bd57cbd8651b8a5fbd6cd58ea1b4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\fe9c8d88 = a41bfd6e18a48da79a157db1b5edda7ffde3ac80d6d05c18b58ff577d014ee222f97d3e17f85d3272e9d1407f62d33fe57266bca9ff14d10761dbff12d90a51b54d2ea098da0e2effb360b89d88db0edbf250e5d185a49b8629796203d04765a560afde9ab999ce998f5aa14aabc60f2aedf410b7c51d0323631d73c37e6f0b72f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\iltybmnyaoutr\962af316 = a69bf8f54a0d108dc3efa402dceb7ffad7991be818816cfdce0d5aa499a7b13c7a3eab31f1dcd6bf4270a0a757b0c05a64af54b42f50b02c8bf76f30c994afd286e4c3573d4216d27d37e06fd26e09a34b117bfa87d998625a18bf2ee20d95c0fea305997824a80cd40a8333b964f52c555e6bd219f8701896e14f52e17e3033f050f7277cb5ca7ae0536608bbdac25cc4	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3984	rundll32.exe
3984	rundll32.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe
1636	wermgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

whoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeDebugPrivilege	4780	whoami.exe
Token: SeSecurityPrivilege	3092	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1896 wrote to memory of 3984	1896	cmd.exe	rundll32.exe
PID 1896 wrote to memory of 3984	1896	cmd.exe	rundll32.exe
PID 3984 wrote to memory of 1636	3984	rundll32.exe	wermgr.exe
PID 3984 wrote to memory of 1636	3984	rundll32.exe	wermgr.exe
PID 3984 wrote to memory of 1636	3984	rundll32.exe	wermgr.exe
PID 3984 wrote to memory of 1636	3984	rundll32.exe	wermgr.exe
PID 3984 wrote to memory of 1636	3984	rundll32.exe	wermgr.exe
PID 1896 wrote to memory of 4968	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 4968	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 1704	1896	cmd.exe	qd_x86.exe
PID 1896 wrote to memory of 1704	1896	cmd.exe	qd_x86.exe
PID 1896 wrote to memory of 1704	1896	cmd.exe	qd_x86.exe
PID 1636 wrote to memory of 4172	1636	wermgr.exe	ipconfig.exe
PID 1636 wrote to memory of 4172	1636	wermgr.exe	ipconfig.exe
PID 1636 wrote to memory of 4780	1636	wermgr.exe	whoami.exe
PID 1636 wrote to memory of 4780	1636	wermgr.exe	whoami.exe
PID 1636 wrote to memory of 5080	1636	wermgr.exe	nltest.exe
PID 1636 wrote to memory of 5080	1636	wermgr.exe	nltest.exe
PID 1636 wrote to memory of 876	1636	wermgr.exe	qwinsta.exe
PID 1636 wrote to memory of 876	1636	wermgr.exe	qwinsta.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\rundll32.exe
rundll32.exe 02.dll,checkit
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4172

C:\Windows\System32\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:5080

C:\Windows\System32\qwinsta.exe
qwinsta
4⤵
PID:876

C:\Windows\system32\timeout.exe
timeout /t 10
2⤵
- Delays execution with timeout.exe
PID:4968

C:\Users\Admin\AppData\Local\Temp\qd_x86.exe
qd_x86.exe -i
2⤵
PID:1704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-51-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-92-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-94-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-93-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-52-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-91-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-90-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-89-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-12-0x0000025A08960000-0x0000025A08962000-memory.dmp

Filesize
8KB

Download
memory/1636-13-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-88-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-87-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-86-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-23-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-21-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-24-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-33-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-34-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-35-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-36-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-37-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-38-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-85-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-40-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-49-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-50-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-39-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-84-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-76-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-57-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-65-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-66-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-69-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-70-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-71-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-73-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-74-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-56-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-78-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-79-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-80-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-81-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-82-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/1636-83-0x0000025A08930000-0x0000025A0895F000-memory.dmp

Filesize
188KB

Download
memory/3984-1-0x0000022A4BA10000-0x0000022A4BA3F000-memory.dmp

Filesize
188KB

Download
memory/3984-0-0x0000022A4A230000-0x0000022A4A25D000-memory.dmp

Filesize
180KB

Download
memory/3984-22-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-20-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-19-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-10-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-11-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-6-0x0000022A4A230000-0x0000022A4A25D000-memory.dmp

Filesize
180KB

Download
memory/3984-9-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-7-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download
memory/3984-5-0x0000022A4BA40000-0x0000022A4BA6F000-memory.dmp

Filesize
188KB

Download