qakbot | 18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

Resubmissions

31-10-2023 16:23

231031-tvvw9sba41 10

25-10-2023 22:14

231025-15mf7sha9z 10

Analysis

max time kernel
98s
max time network
67s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

old_unpacked_qbot.dll
Size

120KB
MD5

35927b301d9cd6c33a927b97dccf6266
SHA1

1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da
SHA256

18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7
SHA512

0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b
SSDEEP

1536:DCEh82pWrjickOZol59ZJkCZuH6cYTUk8JrNZmwmIOvnToIfwsbuYkR:WH5r+ckl57J4HpYTaJBZfE/TBfwkuYk

Score

10^/10

qakbot obama125 1636625439 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama125

Campaign

1636625439

117.198.155.237:443

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.72.121:995

216.238.71.31:995

216.238.72.121:443

105.198.236.99:995

136.232.34.70:443

41.37.243.129:443

140.82.49.12:443

71.13.93.154:2222

96.246.158.154:995

102.65.38.57:443

71.13.93.154:6881

123.252.190.14:443

45.9.20.200:2211

136.143.11.232:443

103.143.8.71:995

103.142.10.177:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2332	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2164	regsvr32.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2164	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1628	helppane.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2580	mmc.exe
2580	mmc.exe
1628	helppane.exe
1628	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	28
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	29
PID 2408 wrote to memory of 2332	2408	explorer.exe	30
PID 2408 wrote to memory of 2332	2408	explorer.exe	30
PID 2408 wrote to memory of 2332	2408	explorer.exe	30
PID 2408 wrote to memory of 2332	2408	explorer.exe	30
PID 2580 wrote to memory of 1968	2580	mmc.exe	36
PID 2580 wrote to memory of 1968	2580	mmc.exe	36
PID 2580 wrote to memory of 1968	2580	mmc.exe	36
PID 1392 wrote to memory of 1352	1392	chrome.exe	41
PID 1392 wrote to memory of 1352	1392	chrome.exe	41
PID 1392 wrote to memory of 1352	1392	chrome.exe	41
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 572	1392	chrome.exe	43
PID 1392 wrote to memory of 2132	1392	chrome.exe	44
PID 1392 wrote to memory of 2132	1392	chrome.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gmkmvxx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll\"" /SC ONCE /Z /ST 16:25 /ET 16:37
      4⤵
      Creates scheduled task(s)
      PID:2332

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SubmitRead.wmf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1044
  2⤵
  PID:1968

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5069758,0x7fef5069768,0x7fef5069778
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:2
  2⤵
  PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
  2⤵
  PID:1820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5ba87bfc-12bc-4138-b169-8b45388691eb.tmp

Filesize
217KB

MD5
c9bb5ee2d96e1912f6d717cae04ae921

SHA1
7fc4fc2beb502946e8c92b67e6a44c2eea343d50

SHA256
ae8055219fd1098846f2bec98b6feb90cf8f41bc9190ba7cfed42b27cb1249d6

SHA512
aee99e2861b45746f84cb325edf184261a5cea6645ffd85ef410f68ded55b9948f45b4516eb2ab765dfa056ce429a41ee7e09e4bdf6f643edb6bc70e8a9ed7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
memory/1628-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1968-29-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2408-2-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-5-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-6-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-7-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2580-23-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-30-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2580-19-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-20-0x000000001D0D0000-0x000000001D416000-memory.dmp

Filesize
3.3MB

Download
memory/2580-21-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-22-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-17-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-24-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-25-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-27-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2580-26-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-28-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-16-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-18-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-31-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-32-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-15-0x0000000002CA0000-0x0000000002CBE000-memory.dmp

Filesize
120KB

Download
memory/2580-14-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2692-207-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-208-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-209-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2692-210-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-211-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2808-12-0x000007FEF74B0000-0x000007FEF74FC000-memory.dmp

Filesize
304KB

Download
memory/2808-10-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2808-9-0x000007FEF74B0000-0x000007FEF74FC000-memory.dmp

Filesize
304KB

Download