trickbot | 81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

Resubmissions

13-07-2024 07:10

240713-hzkfjs1cpp 10

24-08-2023 07:08

230824-hx7hascc4z 10

Analysis

max time kernel
586s
max time network
582s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-07-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.exe
Size

432KB
MD5

7773c8164949a42936c4d1374cf16284
SHA1

9e92535dc7bcdd7bf677a643f90ee730784edfc6
SHA256

81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77
SHA512

8569116004d7b7154fced5a1a6f9d6ed111cae4cf71a68942fc0b978f5fb42db5b595c059fa77bd787cb923c99894dfc07accbc201c38caa02e3f2a235a9d61c
SSDEEP

6144:K7SsTkhdodKqFnpNB0ZBPpYbDhk2N+mBN0fmWbli/eQ8CAFCKz62bxMP7RTitG:WmhdSHZoY/y2MM0fm6lfQIR62lM9iA

Score

10^/10

trickbot yas45 banker dave trojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

yas45

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Dave packer 3 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/4184-0-0x0000000002250000-0x0000000002287000-memory.dmp	dave
behavioral1/memory/4184-6-0x0000000002210000-0x0000000002244000-memory.dmp	dave
behavioral1/memory/4772-230-0x00000000021B0000-0x00000000021E7000-memory.dmp	dave

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653286364243354"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4184	3.exe
4184	3.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1392	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe
1092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	taskmgr.exe
Token: SeSystemProfilePrivilege	1392	taskmgr.exe
Token: SeCreateGlobalPrivilege	1392	taskmgr.exe
Token: SeDebugPrivilege	4020	wermgr.exe
Token: SeDebugPrivilege	4020	wermgr.exe
Token: SeDebugPrivilege	4020	wermgr.exe
Token: SeDebugPrivilege	4656	wermgr.exe
Token: SeDebugPrivilege	4656	wermgr.exe
Token: SeDebugPrivilege	4656	wermgr.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe
Token: SeCreatePagefilePrivilege	1092	chrome.exe
Token: SeShutdownPrivilege	1092	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe
1392	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4184	3.exe
4184	3.exe
4772	3.exe
4772	3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4020	4184	3.exe	76
PID 4184 wrote to memory of 4020	4184	3.exe	76
PID 4184 wrote to memory of 4020	4184	3.exe	76
PID 4184 wrote to memory of 4020	4184	3.exe	76
PID 4772 wrote to memory of 4656	4772	3.exe	80
PID 4772 wrote to memory of 4656	4772	3.exe	80
PID 4772 wrote to memory of 4656	4772	3.exe	80
PID 4772 wrote to memory of 4656	4772	3.exe	80
PID 1092 wrote to memory of 2020	1092	chrome.exe	84
PID 1092 wrote to memory of 2020	1092	chrome.exe	84
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 424	1092	chrome.exe	86
PID 1092 wrote to memory of 3312	1092	chrome.exe	87
PID 1092 wrote to memory of 3312	1092	chrome.exe	87
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88
PID 1092 wrote to memory of 1152	1092	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4424

C:\Windows\System32\-rqqg4.exe
"C:\Windows\System32\-rqqg4.exe"
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4656

C:\Windows\System32\lsass.exe
"C:\Windows\System32\lsass.exe"
1⤵
PID:4512

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\UOKLYWYH-20240404-1224.log
1⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbe1339758,0x7ffbe1339768,0x7ffbe1339778
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:2
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4476 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4848 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4608 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5600 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3020 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5556 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3936 --field-trial-handle=1736,i,15657303114656032384,8819135769103945651,131072 /prefetch:2
  2⤵
  PID:768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9bbb35de-6464-468d-a1de-f72a2e151de3.tmp

Filesize
5KB

MD5
d4b92d8b7d2057fbb547e6828c56ec30

SHA1
eb34f939a88df89d1ed444150c6e7a4121234313

SHA256
bed3f080f63e31d710d774b6219bf379a3a691bec37f82681e2a07207bf3dbda

SHA512
4ce9c7acdf56cdc82622cccca1dcd13f7273564be7846184b2fbc517bec4e7d671c4822e2932b8035e8c905e9451dffb46105fddcd08e0d51f76bdc5c567cd12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
77f8547e98561f9034c5b5ce82ebc24a

SHA1
059d93812cff253772e7aca7bb1610a501b82ae4

SHA256
c7f7155917de9ed597acca05665717203cf529974a9f103dc233eb30cb1c5f5d

SHA512
196a1bd5644df33572f2195d35d3f7affaf1b262cbd3388756167f7df81c842a1c24eae9a346c22425fafe3a7a5f2cfc2b3f2e03168d4621b9ab16bde57d0ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
27757fcf239aa99249e5dcd3feabf548

SHA1
2f16162cbf02f043c7c7f71e33b402d2eea2501a

SHA256
7ed92a3859c2d23778fded11bf4c3e6e3413966b8d6a2f970e1d0e936014d954

SHA512
b68ed10bfbd87672e529d0b76c706f94987262b6d73eb8ce37b367a90b1ca555169854dc1f9a031217901e797387b5aa6e6496355f92e113f2bb975a3643ff83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7b53624d82d3b17d6376a1635234acf2

SHA1
6f58446576c95ca58940cfdc0b8e0401be1b67c9

SHA256
13272dd5e5b620a1f58959a1c4172d224d81eecbf5c619e614c9156a29f18943

SHA512
7389caf449e80865b5ff90fc7a38eb2bbbcaa14361f00f03b44c88204d9196478bf4c41cacefff07a38ef12e7a541e5fdf63b847d4a75effbf51e59ff45053e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
1941b8954fa81b0f97b3e0caa6629308

SHA1
940d57c2c7317e1004093228580792d1c9ae55d5

SHA256
8eb08ae2a6c6d752b6b2767534ac95c8472eb539f7de9aecd5905dcb6c4443cc

SHA512
ae82a0cc551cae73c8883b5763074b98ce27f662b8da89ab4b52a2cea90fd3233f3f1265f351b80053e650de2988cacf0ddd0ffea2816c5a29f6f012950e8b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
c916e7474ba0cc6f71b3fac4399bc534

SHA1
0d9f2dd05f9d9c18acdc4358794376b209ebe31e

SHA256
8c18801e47105b88f719851fae7c4531959205d886e807fe2d8450472b666ea8

SHA512
5269d9857bc2371f3479fae882609b6d606c7cf5bdeaf0d71a37404efe6e4e3ee44c251c901164af0e9e14e1b7884178664609fbbb31179cf98ea6db861631b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2e89875c48a30ace384b20c886a5d82a

SHA1
1a7a3b28032ff2ec3365e5334314298737c2abdb

SHA256
62c43c0d257b9634a242f1d0e8811137a76273f1624713ff6a6db4b2d3eb9d3a

SHA512
9f78f589fe4441b7b95fd941a7fd1a84c22860aa28b59415cc9959ee67a2ea54370a0710a9fc0416aa23af28c10a40b811c1c1956575d16c55cf55155ee46758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
96d668ac510a34d96b3d2791ed66eb3a

SHA1
999792e36a2e9f1cb3421de0f28a36adb0fd9c32

SHA256
d12c8edcc0000bcfbb4a774d3e4f59b1e6c6429e0cc508c0def59193e7ccb193

SHA512
05b5fefb246d8f0dc291b29beac1f561b7e1c51edf733f6080cfaca591b3d64088c4f47a825bb0b3ca5f10b7203d86811ef2a8e78179945313ee4b1699cb2f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
fca6dad7041e2943277829d6d1a536b9

SHA1
7f41478ee6b90b1c8a290b368ab4af87507c05a2

SHA256
4702cf95208d6ddff64a064cfc8d0d9324c92d253bb5da05363aa2404bc8308e

SHA512
25b3393bab45109d5fe2958cd6fd2873252741aab33e2a3fbc269b2d174f0c659c3c219f3fbd136f767c383f65070eae03c1c3ef59d57e84d09b296dd2be1be8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c6c9ec714967a51988891320ebe95d02

SHA1
342fd7527246fa7b3a53f1811285bd9eb90ba13a

SHA256
af4e84292a5b0d0d7b9385b90b665d400c6d910a3fe7b8ad818f664594522e83

SHA512
6e035e41c8e532902b0ec4450510ef93e07bd6ccf399d3a51334daddd9382e824c00bac518241fda4743ad537394190bf80b40be9467e1957f33bef60fcac5d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c8a3b6fcd600a202ada89173d30062a3

SHA1
a758987df226c5848138ad97026b97ecc944fd88

SHA256
7a53b33cec7d5e7828033da04a5021ac049010ffbf2f34f8d6084df0b4c853df

SHA512
96502c80e6dbd7cd8b0aef41772b2cdac810edc25f3a8cffcf27e4e2bc89300ec11da10ae36ef1c5afe52f70d2638812c16095acf4f8399611042758e943c3ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
070e58961e012b019a723d9580c419ee

SHA1
1b1a9fadc804ca9c66acc14594668ca78db64f98

SHA256
421a707960dbfda512786175822fa98a6d79ac67c2bf7d6615df0b30f63a5c90

SHA512
4e127a1801b727640f7fd670b53f17b818b45d57e4f0076fac4ef3246ea1411ca56af245dbb2de557c7316ba9ca1be2f8798490a8a2fd7cdc55ec70ac54f9d3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7376de1f480e042c952d1f0546988cdb

SHA1
981123074e37f04b5ff20f20a0df9c8273c0434c

SHA256
e39fdad642644776a0afcf49be9b26c5219e49c40112db184876f9909d71cfdb

SHA512
8586518ad8c0da7c7420f4a6d784b4c3c1948eff572e5d4f3a4a8cae4dd78a88b6c6a198244d83bf879baa3aee09368ee7230012b34db2b71a3a466d6ad4777c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
df5548447e1adcd8c9ecc3cef1ecbdf0

SHA1
5af11958bf345b9f8c4eccc88c5d99376ce105bc

SHA256
db52c49f1a6b47ee040b8ac17a959f2c41c65afebfba931efa3719c15418a257

SHA512
a4dd59e967d8ed32364cd3a52b9fb5747c21bbd8b13f8004df5432d74f87e4402c56db17835d4f00bd73b0008aaef4a29fd4112ef8ef889326c7dc032b589e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
793f83f9ef4069e9ec8ca1f3bb992767

SHA1
c148475daa16318cf31ae60e04045d429d02d3c6

SHA256
d9052b872831af8ed245d4186003b37c8de47ca4f47f0d396d3ad866b0b02419

SHA512
42b91c609c288854455b60a2d344162f078efa24f8f24322b31bfbd2d582c42c9e4571d123dd3e8ad06d22c738364359c0f8459d932cbb59293e1dbac6afbfc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
288KB

MD5
5f0de836f32f1a542062adc65e692921

SHA1
d77cdeead63d3dbdc65e1f3a1d28902161b9ff1c

SHA256
2a83ce4d83931ca1e3c635a7e91a56ff325d466ecc564b75c7b1a4e6ec7b3cd3

SHA512
0b719e525bd3633f2cec7796b8fb467b3e40dafde752fb66f4bf23006c2f0f6b0d83f2748f2155e0b965f1fff2ca4564135efa8b400bb5afbbd19b204ac9c727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
88b976d0a36cbd331213c93864fe4231

SHA1
bf7e7f4cff9b7441ac91a19909c7006432acfffa

SHA256
ee0fc0b0c7ab0329ece3f7bfb0956987ebc5018ca79060153e7bcb5bf1909998

SHA512
800ae10ba32b3a97ab5342ac0345630c129e35aa3689cc20cf3d091bad7f8ac9bbe24bdca840e768508a08134e2f1b45b53b42cfeece194d6ae029f44b9e485c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5dface.TMP

Filesize
92KB

MD5
318759df9f8eaa6443b21bd7de42dbec

SHA1
79e88567e631453e21c70dd4fab715d85b9793f9

SHA256
2edd8c11613e6cc595ef0822bd7ecb277c3740a8f894f4eb79740974e08bfacd

SHA512
91b8203eb83457a62c36181882385c80b317c5d3ad294a0f320a6eb793ba40a79e8c820f5c6ec56061eaad0c24fe97f0340e83c2d11ccf3193d1147ec2581192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
081def38a291c1c1bd1f16b8a933f53e

SHA1
39e7c4705ed943b4bad61c619e3ef698a6b13c42

SHA256
4f9c6e68b08b241ca8c90f34915b8e04f7de042e0d093a44b77bec1efbf21bb6

SHA512
2f9f0dfd4ab4919325db3bbefd8a404ceb2bbc7d0c5fea0be7183da30f7c62726ff6b89acad151f9fde1db467fd37ba0814d818658c11875f1c6d098cd5bc96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
02f2258f0e74495bb6fe362815de1eea

SHA1
f55983bd60d27025dcb6013c87fd5c8b226c2858

SHA256
4952c3bd2bae5131e2794af4e067bb65aed8d37af302b55ed966da2b8315d4d0

SHA512
b5060d5ad93a04850ed1a0649664b3404e8a44cc77bb586f6793e7f4fed893bfa30dec65b7b3d8d1353b75bc9cc65879ec57e687a067ad419f8c699d8f41d316

Download Submit
memory/4020-224-0x0000027F7FF80000-0x0000027F7FFA4000-memory.dmp

Filesize
144KB

Download
memory/4184-6-0x0000000002210000-0x0000000002244000-memory.dmp

Filesize
208KB

Download
memory/4184-229-0x0000000002500000-0x0000000002533000-memory.dmp

Filesize
204KB

Download
memory/4184-0-0x0000000002250000-0x0000000002287000-memory.dmp

Filesize
220KB

Download
memory/4184-46-0x00000000023E0000-0x00000000024FA000-memory.dmp

Filesize
1.1MB

Download
memory/4184-45-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/4184-7-0x0000000002290000-0x00000000022C3000-memory.dmp

Filesize
204KB

Download
memory/4184-8-0x0000000002500000-0x0000000002533000-memory.dmp

Filesize
204KB

Download
memory/4184-4-0x0000000002500000-0x0000000002533000-memory.dmp

Filesize
204KB

Download
memory/4772-230-0x00000000021B0000-0x00000000021E7000-memory.dmp

Filesize
220KB

Download
memory/4772-251-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/4772-252-0x0000000002780000-0x000000000289A000-memory.dmp

Filesize
1.1MB

Download