kpot | 62694bbe5ad0c4c86a70aa3b5b1040ce46f22d0a99dd24f888d26ca40963664c

Resubmissions

21/02/2025, 18:36

250221-w9cqcaxka1 10

16/02/2025, 02:22

08/02/2025, 06:14

04/02/2025, 20:34

25/04/2024, 20:09

Analysis

max time kernel
51s
max time network
44s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25/04/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
Size

1.2MB
MD5

02c54b72e71ea65747180a14c84a2ca1
SHA1

0ff7516737a6790bbe4875a8a5c98fe20a1d1576
SHA256

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95
SHA512

2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf69AlRmRHJ:E5aIwC+Agr6S/FEAGsji6lRip

Score

10^/10

kpot trickbot banker stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000002aa27-22.dat	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3396-15-0x0000000002440000-0x0000000002469000-memory.dmp	trickbot_loader32
behavioral2/memory/3396-19-0x0000000002440000-0x0000000002469000-memory.dmp	trickbot_loader32
behavioral2/memory/3396-31-0x0000000002440000-0x0000000002469000-memory.dmp	trickbot_loader32
behavioral2/memory/2276-46-0x0000000003100000-0x0000000003129000-memory.dmp	trickbot_loader32
behavioral2/memory/2276-59-0x0000000003100000-0x0000000003129000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585494037434412"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3396	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2276	3396	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	80
PID 3396 wrote to memory of 2276	3396	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	80
PID 3396 wrote to memory of 2276	3396	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	80
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 2276 wrote to memory of 3160	2276	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	81
PID 4080 wrote to memory of 1084	4080	chrome.exe	85
PID 4080 wrote to memory of 1084	4080	chrome.exe	85
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 4700	4080	chrome.exe	86
PID 4080 wrote to memory of 1292	4080	chrome.exe	87
PID 4080 wrote to memory of 1292	4080	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
"C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff90b59ab58,0x7ff90b59ab68,0x7ff90b59ab78
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4148 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4164 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1776,i,10078329408831289254,7871053724306842490,131072 /prefetch:8
  2⤵
  PID:388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
5ba2366ecf618f8040168cfe90dd57ab

SHA1
29dffbbd0a10611b8f2b2785748f22f527287740

SHA256
ceb1eb49d1f1eabb3d8adcbf7861262dab5405509d30b3cebb2f83843fe8a068

SHA512
ff0f60e3c960e4cafbd65259eddf9442c228f4a76476c7cca6ed7aae2c5a849828c837acbd8e703c11fb1749b88005b433092456be3bf74bfb5e98c204799ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ddc7f76ca62a4942ac495a6dcc25e88e

SHA1
bc1252d39574d22d39ca5055e00baf8868cb426b

SHA256
e9162d65553f983c0d521fb74369900e577dd59ae580b92d0735ec0df78c06a8

SHA512
7ab5622cf88adf8003335c51cf1adabc64170d47853857dc2ce96ea313fabb0156496f43f9ee3c576f1edff074c9b15687237f01d7f6db2730395c8c80a14ae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a23313c2a883b4004a35fd6262d04069

SHA1
0dbfc6bd2ed86433642b3b35b358a9625e716cac

SHA256
a21a960f6c437f3882232bdfca659f89dcc51d998628fa6eaf374dfd4b5d68f9

SHA512
de029c2ea7d561175d3f14437f5b9f72dc97909d277730a6dbe9177caf702585013edde672a12b98c4a65be9ab2b49f2c592977ca5d33ccc0c71fa7f81533696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1d0fa55f3eb1864bcf8b687656f51d49

SHA1
9861d00365082c12068f3859e838415c683f13e2

SHA256
989230b9657998ead9cda95ecf181dd4e1bd17354555859df0336e20e80a0ba6

SHA512
fc65c50d3021a29b03eb119a8d0d15a8968557f0cc08f09b167b18adb6ec90da991bd65ae299aa5a1f0461abc3b8550efc7c8602392994cbb925758fe2c12721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
53b2be1655291e5ce57400455e4cb302

SHA1
a7118a310507c027dffd5033c4ed2715f5f8e7b3

SHA256
8c562d2cab0c899d3881aa87d00ed3aab146de9b0304c9355649e27423504a90

SHA512
5cf7287000251a8c22126249015cce4b52a742b62b2f33acaee5fc11dc249e22cbcf2b55d18ff68645d00f818b05f27613c72bc248071ad8ebd6764e6091ab5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
11541eb8204a7f61ca6e1a405871e5cd

SHA1
ac5087772e2a2bcc15c0f8eff45c5809f868dfdf

SHA256
958824ec22aa88ee68f59d604d2bb9b86a46b4f2ecd8b0446d9ec7dfc1d6ac59

SHA512
f8a6d1cfafbc2f3e9247b62408625412e0f802b873bf13aee7cfc0f223ee77aaaa18e423ab5e55321ba79580991ca6e245b57c88c55f42ee292644c559c0b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Filesize
1.2MB

MD5
02c54b72e71ea65747180a14c84a2ca1

SHA1
0ff7516737a6790bbe4875a8a5c98fe20a1d1576

SHA256
ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95

SHA512
2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0

Download Submit
memory/2276-55-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2276-38-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-56-0x0000000003160000-0x000000000321D000-memory.dmp

Filesize
756KB

Download
memory/2276-59-0x0000000003100000-0x0000000003129000-memory.dmp

Filesize
164KB

Download
memory/2276-57-0x0000000003220000-0x0000000003594000-memory.dmp

Filesize
3.5MB

Download
memory/2276-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2276-44-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-46-0x0000000003100000-0x0000000003129000-memory.dmp

Filesize
164KB

Download
memory/2276-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2276-28-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-27-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-29-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-32-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-39-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-30-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-34-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-33-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-36-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-35-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2276-37-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3160-51-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3160-58-0x000001E718D20000-0x000001E718D21000-memory.dmp

Filesize
4KB

Download
memory/3396-18-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-13-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3396-11-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-12-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-2-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-15-0x0000000002440000-0x0000000002469000-memory.dmp

Filesize
164KB

Download
memory/3396-14-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-31-0x0000000002440000-0x0000000002469000-memory.dmp

Filesize
164KB

Download
memory/3396-19-0x0000000002440000-0x0000000002469000-memory.dmp

Filesize
164KB

Download
memory/3396-10-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-9-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-8-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-7-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-6-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-5-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-3-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3396-4-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download