kpot | 62694bbe5ad0c4c86a70aa3b5b1040ce46f22d0a99dd24f888d26ca40963664c

Resubmissions

21/02/2025, 18:36

250221-w9cqcaxka1 10

16/02/2025, 02:22

08/02/2025, 06:14

04/02/2025, 20:34

25/04/2024, 20:09

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/02/2025, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
Size

1.2MB
MD5

02c54b72e71ea65747180a14c84a2ca1
SHA1

0ff7516737a6790bbe4875a8a5c98fe20a1d1576
SHA256

ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95
SHA512

2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf69AlRmRHJ:E5aIwC+Agr6S/FEAGsji6lRip

Score

10^/10

kpot trickbot banker discovery stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab79-21.dat	family_kpot

Kpot family
kpot
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2380-15-0x0000000002430000-0x0000000002459000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
768	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
2412	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\~DF6513D10B26B9506D.TMP	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
File created	C:\Windows\SystemTemp\~DF39A5727B966AAA40.TMP	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133831749024049011"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe
Token: SeShutdownPrivilege	3488	chrome.exe
Token: SeCreatePagefilePrivilege	3488	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe
3488	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
768	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
2412	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3468	2380	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	77
PID 2380 wrote to memory of 3468	2380	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	77
PID 2380 wrote to memory of 3468	2380	ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe	77
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3468 wrote to memory of 2232	3468	ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe	78
PID 3488 wrote to memory of 3868	3488	chrome.exe	82
PID 3488 wrote to memory of 3868	3488	chrome.exe	82
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 4068	3488	chrome.exe	83
PID 3488 wrote to memory of 3832	3488	chrome.exe	84
PID 3488 wrote to memory of 3832	3488	chrome.exe	84
PID 3488 wrote to memory of 1236	3488	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe
"C:\Users\Admin\AppData\Local\Temp\ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc57dbcc40,0x7ffc57dbcc4c,0x7ffc57dbcc58
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4372,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,1698659793647622737,17961714071600046095,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2028

C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4564

C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2412
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
03fc4707b4e47150a2aa2947652c619e

SHA1
9a61234dcb86c4a289d757a4080ef165894faa5a

SHA256
d792a6a8d9e4abb7e20a52aa8f53d9eaf37d5923fbd12b5889cb527a81efbde0

SHA512
4786e9a9e8c6954fd8511b72c3d4e46cef65a24f2652084e45aed10abe94c8c2ce936720175a0f6cfe2cb48c2581a0b4181b154d45541be6f539b9e086e72bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b158f1ddca821a5fbc4e6530f6dbaa61

SHA1
2fb0d517417c950aadafdff8bc995c64e1c682c1

SHA256
e96810b896db38e6fda8be13f6915486abf8df453fc92c25efaa91e0f9200f2b

SHA512
0e435b9b460aaf22ce3a58944881c7a074e3d31cd6834c887281c93f3546d9113830cf8f1e7ba6921af4fb3ac13fa3feac139cd3077ba8b56a7a8f3921ad7554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
74fb0ddd0eeb4f7e2909c718ba064f5d

SHA1
592ecd39fb61fd1af7f42abd4264888632ccd021

SHA256
7d691fafcae81515ad50fc38591d605862753e02380fb9ffc40aabe495761734

SHA512
b36453c8eb9f8159275eef222167986cf049eac2b6fc2b30f13ee4f4541ee8f85599eb84db08fb31168e2605a9e9352c73a53e0d3df712e53cf87174a4b2dba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
157e0707b5ac2d3d080b311f5cead4ae

SHA1
f28171b65a7330757516444302b312e567f167cf

SHA256
c050e1010b2bc35e3fe581c4aeeadea2f3234c106891bd038cd7933393dab0c2

SHA512
43fe780322bab7ebc0ecf0b603631225d4e8639d4d08f323a634ef6ae0fe88397063c5a58ce9704af8c54fd338b2c7893e5e479a0a5ec6b36173bbe6a3c6f8ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2ca8a44069d326d9552e04f9c479ee85

SHA1
38b3c46c47273d9d5fdd964a9324c6b8feeacb82

SHA256
683de983632b3458f73eb81e7277cb4816ddf817924a8500dfbfc0e174895501

SHA512
6ad4fbeffaceefca40f8c4c593ef08d6de9f22ac8b88532a1abf520b02d5e0ec42bc7b7295c7b9a55d7acb8e37d4a28b2724bd532ea5a68760616a9f47abbb45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b5afbc2f514806a49b99455b7f101f8

SHA1
abac959a9a551a0024d278e1724b259276e078c4

SHA256
c846fe22d77a3481fbe644a0771178dd972f538bf09b9fbf03e766094f668b0d

SHA512
c0c4bd805ce49799cc17615d959fc3c634059a15b97eb01c5efc93c29fb647ae03c50468914da3e59c031a94da3df03ecb80ad982fe9ca11dd4ab6e2d33e6341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5edd9bdec3b06317d88bc8aa2018853a

SHA1
ff2496d3a39d1dd633d6900dadc4e307833b9835

SHA256
205c04ae3d059751778230a7dbeeb0cbeb34bd92c006310d03a03563eecfbd4a

SHA512
c0d7ec29cd373385b476caeb62926c194352a3b7e61f1cc5be86b3b86a7dd1eb3fc393e47e0d68ab448529dbb4b512a19294af3ee27eaa7ebb22e8abfa31088e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24941378ffcff7465af995be6db03a8f

SHA1
2f900054444156792a28ae6d36deaa835e406499

SHA256
840458ffab91dd545a80695b1c3dbfb8a9a13c9f0d4e1910a438f8002d33d333

SHA512
be9f1c358cc7106f508b098c57600f95ecdaf052143c5715a67441319d6a1ddeb88c7a2e9ffdc81bc3431aa71c9e60e40d2d26d11347bbf08f617dbcf87f1578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68c2aea175a2d0bc0685d9594e26e0b1

SHA1
ee81fbbe56d431c480e3ce33a6f67e9d5360fc0d

SHA256
99fdcbc1c7e928e43256961fb2e878543da6dcd362a955a87796bcbc97f44105

SHA512
a6e15db74a4d716e23b8162e9d7a44c2f4b971c8d032e07f08c0085f752fd1baf2648590c59f9003fd9454cd05696e79f1b63c527b038faf336041ff69feb85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
50136e32fb22dd4dbeb46738c7afff34

SHA1
fa5f0e980ce41fae7a2affbc0d4e496aceb37eb1

SHA256
c3dbb73e4ae645c0c51d4b471dde6226a3fde1d313d457c8270276e2eedb0cd9

SHA512
0ee4156e3c97b11dadfb0ab96b22abf0aa79cf2d0d9de3924d737dbd104dd76d41461301d405653c9dc1650f4409468cc7b62162965cdf88942e87a326cf7297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7fa8b4128cbc6c7fa463c7d854eb1b72

SHA1
23c2c59b43a964271c9a4a3e41a306b53609ee8a

SHA256
7a104865d642f87cbbaf53ee19a892ae94523e6cb3e4597bd612382f07f75c9a

SHA512
e5c382a388ef4772aa42dd8920f93855e3fa9f98fb709f0f1a3a7ec097e0f98070bd043913a5d652b289559845f28c87d4549c97c6474ce2ea2954adc81ea80b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23811fe9e5cfe6008a76090601f5b950

SHA1
783f8acb25955892651ffacefdf5a6baad1643b5

SHA256
6444c68dbdac1dceb002f6d2849bdf95527a5649f595d273ec8f82fff81286f0

SHA512
8c5ee5cc84d52e5a083cbd094eb1ef91091d0c9bd91b16a035cfc1ee25bc56e5c9e264733416462307014f40b6cce49b082af54b5fff628a2da9f16ba62dfe26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ed65e378b5b617f33a1dde489fd14885

SHA1
225a12aeea56b489d35c1f3d2da795c778513f81

SHA256
4baa8babb6d3149d176dbbe94d1de84c83220497f92b933e06cf6e7495447646

SHA512
3b429e2456d7661355b2cb42d76c6741ae08a0af8571a59730da39b39c80c900b855026b7f0febe192b351ec33f2f1b77d12c3c2655bed2a41a8cee5941821fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
235KB

MD5
27afe1f5d09d7e927c38bf770431286e

SHA1
d0442e2a1a702c250d8a90f376c7df749ebb9075

SHA256
68a4cd6dcbdc2e21fe0a36c583c6c85c4e32e754ee3364d64d505699c03d19f3

SHA512
2a0aa83b19352d28a6b7f8d38ee9c565375005cacf6d034abcd3e3d49769a45388a4f722328a0fa654bac8251e319a84d4ee3e0c55e828e42ec500458975122f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f300de27-83e9-4384-821a-f9b10e2aee56.tmp

Filesize
235KB

MD5
07481d68f733d2abb53c6e546de4c4d3

SHA1
0f5098f8db9c90b2711997ab4a2b99fb76462ae0

SHA256
c48512bc20104fecec1bf8c841961aa2f6208a21250e8a5a6117719016373647

SHA512
b5aed8a407170e4374bfd53d7dfa788e3c05bd5790eed0a92800430376adee4b17eecfdd498120ed6151c6e38dde8e89609649399c6fa8eef99a203078cfd54c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\ed0dff21d8248a880dec0879a3da96fdd39bf9e0ca2783ab9cabfcc2362f8b96.exe

Filesize
1.2MB

MD5
02c54b72e71ea65747180a14c84a2ca1

SHA1
0ff7516737a6790bbe4875a8a5c98fe20a1d1576

SHA256
ed0dff21d7247a770dec0768a3da95fdd38bf9e0ca2673ab8cabfcc2352f7b95

SHA512
2aa8bfa5f1052a19247de879a1e3b14b81ffede11214ae047c3df4bf0477697a61c9392ed1cbab165ad682136db8ca23ab358a57223765e458fe079d4188b5e0

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
52KB

MD5
3414ab25c42e3c08a8474693c581d7d8

SHA1
9cd2b18e0b5afd6c7c22c7f8ff1ef645e83f032a

SHA256
e644dc23c15a0c1b54a52074c3a894088760f4366f45d2c7c86eec81f7b4628b

SHA512
b0ec7baca6bba7810169523dbff5ffbbd39e79669afa93199ee14985f7ed6caa952304c5e7ce5fff1c89ab6cd6cc198f483610e653f74b74afa116d9b23f8401

Download Submit
memory/768-175-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-173-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-176-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-177-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-193-0x0000000001D60000-0x0000000001E1D000-memory.dmp

Filesize
756KB

Download
memory/768-170-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-171-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-181-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-180-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-172-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-179-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-174-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/768-178-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2232-46-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2232-51-0x000002237F480000-0x000002237F481000-memory.dmp

Filesize
4KB

Download
memory/2232-47-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2380-12-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2380-9-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-14-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-13-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-6-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-15-0x0000000002430000-0x0000000002459000-memory.dmp

Filesize
164KB

Download
memory/2380-11-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2380-10-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3468-27-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-53-0x0000000003220000-0x0000000003594000-memory.dmp

Filesize
3.5MB

Download
memory/3468-52-0x0000000003160000-0x000000000321D000-memory.dmp

Filesize
756KB

Download
memory/3468-42-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3468-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3468-26-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-28-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-29-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-30-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-31-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-32-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-33-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-34-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-35-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-36-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3468-37-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download