dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
65s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral21/memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dwm.exetcmsetup.exeunregmp2.exe

pid process

2428 dwm.exe
2424 tcmsetup.exe
1360 unregmp2.exe
Loads dropped DLL 7 IoCs

Processes:

dwm.exetcmsetup.exeunregmp2.exe

pid process

1204
2428 dwm.exe
1204
2424 tcmsetup.exe
1204
1360 unregmp2.exe
1204

pid	process
2428	dwm.exe
2424	tcmsetup.exe
1360	unregmp2.exe

pid	process
1204
2428	dwm.exe
1204
2424	tcmsetup.exe
1204
1360	unregmp2.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\85\\tcmsetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedwm.exetcmsetup.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2860	rundll32.exe
2860	rundll32.exe
2860	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204

pid	process
1204

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeDebugPrivilege	2548	taskmgr.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe
Token: SeShutdownPrivilege	1604	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
1204

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
1604	chrome.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
2548	taskmgr.exe
1204
2548	taskmgr.exe
2548	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1204 wrote to memory of 2384	1204		dwm.exe
PID 1204 wrote to memory of 2384	1204		dwm.exe
PID 1204 wrote to memory of 2384	1204		dwm.exe
PID 1204 wrote to memory of 2428	1204		dwm.exe
PID 1204 wrote to memory of 2428	1204		dwm.exe
PID 1204 wrote to memory of 2428	1204		dwm.exe
PID 1204 wrote to memory of 1608	1204		tcmsetup.exe
PID 1204 wrote to memory of 1608	1204		tcmsetup.exe
PID 1204 wrote to memory of 1608	1204		tcmsetup.exe
PID 1204 wrote to memory of 2424	1204		tcmsetup.exe
PID 1204 wrote to memory of 2424	1204		tcmsetup.exe
PID 1204 wrote to memory of 2424	1204		tcmsetup.exe
PID 1204 wrote to memory of 1200	1204		unregmp2.exe
PID 1204 wrote to memory of 1200	1204		unregmp2.exe
PID 1204 wrote to memory of 1200	1204		unregmp2.exe
PID 1204 wrote to memory of 1360	1204		unregmp2.exe
PID 1204 wrote to memory of 1360	1204		unregmp2.exe
PID 1204 wrote to memory of 1360	1204		unregmp2.exe
PID 1204 wrote to memory of 1604	1204		chrome.exe
PID 1204 wrote to memory of 1604	1204		chrome.exe
PID 1204 wrote to memory of 1604	1204		chrome.exe
PID 1604 wrote to memory of 328	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 328	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 328	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2088	1604	chrome.exe	chrome.exe
PID 1604 wrote to memory of 2316	1604	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\tvR9\dwm.exe
C:\Users\Admin\AppData\Local\tvR9\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\pQ4C\tcmsetup.exe
C:\Users\Admin\AppData\Local\pQ4C\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2424

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Local\uyB\unregmp2.exe
C:\Users\Admin\AppData\Local\uyB\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6209758,0x7fef6209768,0x7fef6209778
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1340 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1932 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2892 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1368 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1356,i,1567790228581246068,1759107365359257438,131072 /prefetch:8
  2⤵
  PID:1624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
34KB

MD5
cd033bf79ada3ec08b33a74b1d930c07

SHA1
7f08f4962c005bf874afb03d02a016b3ddab1855

SHA256
b3a9fa989c58e445dd901195af0dbe106e688c2f3f83266b55e1c7bcfd0bff07

SHA512
d142f97cf09755e8c26193c81db06d6619db13fe5c5dbc03960882a8af9bcc8790546f59e2ae1c78c7dd99deda0477f30ef2249541abe2277cee5c26db1a410e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
58KB

MD5
188496839a8ec880e8955e85b5d98e48

SHA1
63c0f3876ad72a170ba618ad765132048acb970e

SHA256
875394931d73230a8688b89796970d4513c45bffad839b5e448ad48c9a3285e3

SHA512
8288040c3a97cca7528ae5ecbd6fc73ec389a492ecdb7443979297f50e324e86220b8beeb2ada80cd836cdf32046d2199afb4d81d3a62078559335cc0b1be162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
834464465e842138ce862220cae29f80

SHA1
e6ceb8df288ff6fa0fa8e55a93e43128abd8c804

SHA256
359f6a8d7c743eda8fda9b331135205c5f6c3c3410ca82cbf3da3c611b53448c

SHA512
4c867674242c6711d10f1d8b60e72afb6465c086ee34f01fbae3919c785fc94640bfdcb662278648b2db497a5daf5f7c65ce3301ed8e12159f90b112fb3055da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d81708176824d4742fe9bd8df130d06f

SHA1
1820b95d193e7a91d146b8d7345a4e3b3c8ddab4

SHA256
ddf02ab0cba4149212c700a518287723debdb7392db45863d1e090abc5a81e37

SHA512
d25423a648c36bd3e841a2d66d904184ff8e8a7bf4dbc9b55c5535c6db3ebffe40bcf887cf55b97b7dade4063253c3bc97aaf9bb606949f229b4fe9578ea3b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\pQ4C\TAPI32.dll

Filesize
1.2MB

MD5
0be10d4a49a3b6e578c6e2765aefa4b2

SHA1
08a8518fca5b19956ac28e0eb0c1acb26bb9bc2d

SHA256
7748f3fffdbbec7ae567d7b7448e28b6077b93bd4dc46f751e93ee37cb556791

SHA512
1df1066f48a19e2fa0ba34da1a957a16b502c2cf62bec22e7aadd0fc016e2b33aa31fb2d4f18430d8ea6cb1d9116f54396cce08a2c835016e33d782fbdbbb8d8

Download Submit
C:\Users\Admin\AppData\Local\pQ4C\tcmsetup.exe

Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
C:\Users\Admin\AppData\Local\tvR9\UxTheme.dll

Filesize
1.2MB

MD5
47e94b6fd444372b8b677a4b5400f42a

SHA1
7e38e05b452e5ac48e30d9926c222df15a704c2f

SHA256
b48ecbed831ceba473b20dbfbc1ec218dd934aff80a07b32d57650985dd13e10

SHA512
11adc551686ebef30baf5ab9baafa0d708a05d3df6b63e88ec1717bd08268fc1535f0f55c49b532db467b05f70af76677f1a9d1a6cb2448fc1fef41d17e957de

Download Submit
C:\Users\Admin\AppData\Local\tvR9\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\uyB\VERSION.dll

Filesize
1.2MB

MD5
b538e9c6d4ced2bbbff1e60708eb81ac

SHA1
ae5906ae9865362567f75d43138e20e3445517a9

SHA256
138407d5503989fac22ac463a719791876490626eab82aba32ed95bef87377dd

SHA512
b610fdc6d2f0a69c3d9c838a1845b421cd0901c93b57ca91e325044fb32f2915d1da0b73ac80742080bdc70129ea2ad34bed1540c0ae800cd9c35d29b28dbe71

Download Submit
C:\Users\Admin\AppData\Local\uyB\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk

Filesize
1KB

MD5
868afedfb6bf5e47bd308d90358de60a

SHA1
931e7395f82c389d9c5b594e5b455f5dcd54e50b

SHA256
8f271105777e3f64ff47328013c3f7b59cea5380076d41384e317ba3ce2c0c48

SHA512
305ef75166685301234042e53a3e650ffd502f1172f6f9fc0762a8ea3d79ccd97351adf58a94ba832b28f8892e6d1e86c75efa3244e02a7f228ee34f1713615a

Download Submit
\??\pipe\crashpad_1604_QNOXDIOZJLHTWGPE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1204-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-30-0x0000000077520000-0x0000000077522000-memory.dmp

Filesize
8KB

Download
memory/1204-29-0x0000000077391000-0x0000000077392000-memory.dmp

Filesize
4KB

Download
memory/1204-4-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/1204-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-69-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/1204-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-153-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1204-26-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1204-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1360-92-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2424-75-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2424-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2428-59-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2428-54-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2428-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2548-184-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-185-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-224-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-225-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-245-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2548-244-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2860-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2860-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2860-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download