qakbot | 18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

General

Target

old_unpacked_qbot.dll
Size

120KB
MD5

35927b301d9cd6c33a927b97dccf6266
SHA1

1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da
SHA256

18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7
SHA512

0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b
SSDEEP

1536:DCEh82pWrjickOZol59ZJkCZuH6cYTUk8JrNZmwmIOvnToIfwsbuYkR:WH5r+ckl57J4HpYTaJBZfE/TBfwkuYk

Score

10^/10

qakbot obama125 1636625439 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama125

Campaign

1636625439

C2

117.198.155.237:443

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.72.121:995

216.238.71.31:995

216.238.72.121:443

105.198.236.99:995

136.232.34.70:443

41.37.243.129:443

140.82.49.12:443

71.13.93.154:2222

96.246.158.154:995

102.65.38.57:443

71.13.93.154:6881

123.252.190.14:443

45.9.20.200:2211

136.143.11.232:443

103.143.8.71:995

103.142.10.177:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe
Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2332 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

pid	process
2332	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

helppane.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main helppane.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

regsvr32.exechrome.exetaskmgr.exe

pid	process
2164	regsvr32.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2692 taskmgr.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2164 regsvr32.exe

pid	process
2692	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mmc.exehelppane.exechrome.exe

description	pid	process
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: 33	2580	mmc.exe
Token: SeIncBasePriorityPrivilege	2580	mmc.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeTakeOwnershipPrivilege	1628	helppane.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

helppane.exechrome.exetaskmgr.exe

pid	process
1628	helppane.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

mspaint.exemmc.exehelppane.exe

pid process

2808 mspaint.exe
2808 mspaint.exe
2808 mspaint.exe
2808 mspaint.exe
2580 mmc.exe
2580 mmc.exe
1628 helppane.exe
1628 helppane.exe

pid	process
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2808	mspaint.exe
2580	mmc.exe
2580	mmc.exe
1628	helppane.exe
1628	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exemmc.exechrome.exe

description	pid	process	target process
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 1164 wrote to memory of 2164	1164	regsvr32.exe	regsvr32.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2164 wrote to memory of 2408	2164	regsvr32.exe	explorer.exe
PID 2408 wrote to memory of 2332	2408	explorer.exe	schtasks.exe
PID 2408 wrote to memory of 2332	2408	explorer.exe	schtasks.exe
PID 2408 wrote to memory of 2332	2408	explorer.exe	schtasks.exe
PID 2408 wrote to memory of 2332	2408	explorer.exe	schtasks.exe
PID 2580 wrote to memory of 1968	2580	mmc.exe	dw20.exe
PID 2580 wrote to memory of 1968	2580	mmc.exe	dw20.exe
PID 2580 wrote to memory of 1968	2580	mmc.exe	dw20.exe
PID 1392 wrote to memory of 1352	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 1352	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 1352	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 572	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 2132	1392	chrome.exe	chrome.exe
PID 1392 wrote to memory of 2132	1392	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gmkmvxx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll\"" /SC ONCE /Z /ST 16:25 /ET 16:37
4⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SubmitRead.wmf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1044
2⤵
PID:1968

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5069758,0x7fef5069768,0x7fef5069778
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:2
2⤵
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:2
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3764 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1292,i,16373388356283233861,48925657451472970,131072 /prefetch:8
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5ba87bfc-12bc-4138-b169-8b45388691eb.tmp
Filesize
217KB

MD5
c9bb5ee2d96e1912f6d717cae04ae921

SHA1
7fc4fc2beb502946e8c92b67e6a44c2eea343d50

SHA256
ae8055219fd1098846f2bec98b6feb90cf8f41bc9190ba7cfed42b27cb1249d6

SHA512
aee99e2861b45746f84cb325edf184261a5cea6645ffd85ef410f68ded55b9948f45b4516eb2ab765dfa056ce429a41ee7e09e4bdf6f643edb6bc70e8a9ed7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
\??\pipe\crashpad_1392_OBLTFGVFBOWUUKGU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1628-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1968-29-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2408-2-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-5-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-6-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-7-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2408-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2580-23-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-30-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2580-19-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-20-0x000000001D0D0000-0x000000001D416000-memory.dmp

Filesize
3.3MB

Download
memory/2580-21-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-22-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-17-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-24-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-25-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-27-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2580-26-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-28-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-16-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-18-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2580-31-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-32-0x000007FEF3ED0000-0x000007FEF486D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-15-0x0000000002CA0000-0x0000000002CBE000-memory.dmp

Filesize
120KB

Download
memory/2580-14-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2692-207-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-208-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-209-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2692-210-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-211-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2808-12-0x000007FEF74B0000-0x000007FEF74FC000-memory.dmp

Filesize
304KB

Download
memory/2808-10-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2808-9-0x000007FEF74B0000-0x000007FEF74FC000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads