qakbot | 73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8

Resubmissions

06/03/2025, 16:04

250306-th18hssvay 10

01/03/2025, 09:45

250301-lq4plsyky7 10

Analysis

max time kernel
47s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll
Size

2.3MB
MD5

74cf47683051f44e6fb55ac9360c717e
SHA1

93b1ab0a9e70a546c4b89dcb20a158dfc90b1421
SHA256

73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8
SHA512

8425057a65e7f7e39956b8b245bdcaf2d2e827664ee34693cd055ac92f37d1b4f285bac3acc3be9df67d99b1ab8edd4602d7b7bc80ba9eecc2979b8ab37cbb72
SSDEEP

49152:aRJVY7Gs7IvXK6eBTC28d97NSkkBL3HgogWmv:aRJAIHXSkkBbHgoHmv

Score

10^/10

qakbot obama150 1640256791 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

403.10

Botnet

obama150

Campaign

1640256791

96.21.251.127:2222

70.51.134.181:2222

69.14.172.24:443

186.64.87.213:443

94.62.161.77:995

103.139.242.30:990

114.79.148.170:443

217.164.247.241:2222

178.153.86.181:443

136.232.34.70:443

37.210.226.125:61202

173.21.10.71:2222

31.219.154.176:32101

140.82.49.12:443

32.221.229.7:443

24.152.219.253:995

106.51.48.170:50001

114.38.161.124:995

96.37.113.36:993

190.39.205.165:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	whatismyipaddress.com
41	whatismyipaddress.com
43	whatismyipaddress.com
44	whatismyipaddress.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2684	regsvr32.exe
2620	chrome.exe
2620	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2684	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe
Token: SeShutdownPrivilege	2620	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 3048 wrote to memory of 2684	3048	regsvr32.exe	30
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2684 wrote to memory of 2720	2684	regsvr32.exe	31
PID 2720 wrote to memory of 2204	2720	explorer.exe	32
PID 2720 wrote to memory of 2204	2720	explorer.exe	32
PID 2720 wrote to memory of 2204	2720	explorer.exe	32
PID 2720 wrote to memory of 2204	2720	explorer.exe	32
PID 2620 wrote to memory of 2052	2620	chrome.exe	35
PID 2620 wrote to memory of 2052	2620	chrome.exe	35
PID 2620 wrote to memory of 2052	2620	chrome.exe	35
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 2688	2620	chrome.exe	37
PID 2620 wrote to memory of 580	2620	chrome.exe	38
PID 2620 wrote to memory of 580	2620	chrome.exe	38
PID 2620 wrote to memory of 580	2620	chrome.exe	38
PID 2620 wrote to memory of 2888	2620	chrome.exe	39
PID 2620 wrote to memory of 2888	2620	chrome.exe	39

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ajoyyofh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll\"" /SC ONCE /Z /ST 16:06 /ET 16:18
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef73a9758,0x7fef73a9768,0x7fef73a9778
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=284 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2672 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:2
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3268 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3452 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3724 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2328 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=704 --field-trial-handle=1260,i,18272918814262157910,14067542217432725074,131072 /prefetch:8
  2⤵
  PID:3000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:592

C:\Windows\system32\taskeng.exe
taskeng.exe {E2CAA2F3-6A5E-49E1-8BE9-5AC21E080DB3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2464
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll"
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll"
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      PID:2524
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hzxezduuycr" /d "0"
        5⤵
        
        PID:2040
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zaxnxqc" /d "0"
        5⤵
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
489a016da83f52c6dc737534ba33bc38

SHA1
47484a4b4a7a469f9566a0cadcd1a43f914f7aed

SHA256
b03c654d1ff8f58664f3a04972ca94f6dfe3562d0e23eb42df13bf38c8a5f50f

SHA512
35eb0073b98b08c50d1ae944ac874046f1dfc5cf40eaa27ed59832e2220e3a1004f355be7826eaca5253a2972709b0f9770cab0f32e54c9e06fa2a261f465f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6420bc8cd247d6d75e87cd3d7017794c

SHA1
fa920f373d451db991168b6d66918891d2967810

SHA256
82af0b7c14a84f502e246f760e0ad997d1801bd0b97f61a47913888fbf151865

SHA512
d86c35237a2c35723a53eb05383b4090e4b1eaae03b845794e9c675caac6cfb6c7de8e0bd8f81e0ac69788e2935e7cd10c38fdec52982af99bc44e6cf8c57103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f07305d7bd7ce9a9aaa507c078507a60

SHA1
5e88c951825c394b36e4936017e7451f766ae7c1

SHA256
bb3f998d984ce90d4c3bd783bafc45caf204acf583dbd333c9acc1351067c270

SHA512
9cef15a18b7e3e7879b367ae16796adb08161e47a2a411dec942bb8c19009cb54154aa588f9cee64b2c3e6556bdc6d4ca4b1078f74de190387bf6144d362c777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f964f435a903a304d25749eaff9b9824

SHA1
ff121b6da78ce6473c6460b236ae72b36c62ad15

SHA256
1e11ff5236ca5fda0a43fc0005a145385f363058ec8d14ca5b9be78e4f0c3625

SHA512
47c5613a2b72811fa02a079a071bed160fb5d96da4632012008af29a2cc611082c55ae364c3d358f9395ee537b7bc10bfa3bfacfeffe1ed36d3bb3dfe37196dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
585e45d7842cb0ff860cfc7328651cc3

SHA1
d95b8f05e8ea2142fd1ed351591badeac4efe2fe

SHA256
c760f8dbaa7e31dccd86076db068379dee60ed3f7a160d71612720c40d797069

SHA512
ec1fbea0af41da84a4debbd9a8f66f523425bb7b28cfe313ec75165dc0c3bed09ea9cae8723bbff083993251f3283e35261d6f2784ebc58ff8cae354519b964c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ab391fa2a02ad20c02d587f42653ca2

SHA1
295b0ee71e61232d5eaa635a75190c84c084c3c5

SHA256
d43cc809320b48b4716d9fcefc2bdd6a11c1f0a3aa14a2651d8725b751bff1ab

SHA512
b9506ff50ceb6849022ef8de74256046cbc0b0fd761f07bbf778eb5107df4a1258b578a30e79d28090c6c6ed20f0720cda3021bc02513d04ee3ef289b051a516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fc5e6e0c603f453718b42f02d3b7364

SHA1
26d8174ff5dc318043baca6e2746c0911acfe106

SHA256
3ea40c2a83bc50e93fd50a2efa584fef231f74a1d6ff72eb407f4c2ac787cae2

SHA512
e6af84685aa36b0acc649f911b508b1b36edcc1f9ea8d85652457a901917d9e63f4656c43891b64eff8b33475cb77febd7528a058601cf6e8337596a9dd6eefb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15e112c5cd54de2754d575ce0e37ef21

SHA1
66ac424c27bd7b2235e8d5b8731ff96a75540459

SHA256
9193d4cbb842b361a917b3e277d036e2eed00f79d3a205b2ad344c388c9893bd

SHA512
4b0ffb3b887e9cfae78fc6e4498be37928e6d0c19c4dd7fd1458a5d6eac2b540a7283572cc18ef9245330b6bbb5f8567f365affb637398ca745dc3efe42595d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fb51e1583538d0a5d4ef7af1fd740ad

SHA1
9f6a1e8aa4c49bcda301d8a7fb3110ca5c667109

SHA256
5d6bd8195c9d948f431dd8438a1680e32b7310fc27497a7831d7307ef748935c

SHA512
1c6f93d01d44838724bf430071fa6e4d25421c932a6f53ea433a356abd7d0a94d7b13a6560d2f09d6d32819759afbf1be4e829cd0aa955960303f47aba568c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93da835ee1e6f00e3e0b811ae5ae0521

SHA1
78401198edff121a14e01073b26209fa418d51f3

SHA256
0c911f0b2bf7e3ed6dc5c808edc34db97215c4ca5b0c122b222392a928339d61

SHA512
5448945dcaa718c8e98c1fd606d3f6be8839755f2bd2ba69710096bcc030649beefc166d9ff083cc0e869ba443b8d9d3ff6916b1a106240a56be68b5b30678f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\736cd187-ce18-41c7-b847-910b61f0f387.tmp

Filesize
5KB

MD5
55b5df6b473ad166b3519cdf15c10099

SHA1
491543e26456b085bc10112649a8e584cc8a81e4

SHA256
27991cc369554bb62bd0f1739e93311d49d63a98f9b0e11e83c7464bb067696e

SHA512
31a8a8362330701f0173006dc626348b131a0e6923814d00553497264db319110f87e9e3c2d4e90fc4815b6f81a8e75e04aff086d6ba4792a7c84e7698ad54a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_whatismyipaddress.com_0.indexeddb.leveldb\CURRENT~RFf77f00a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b9b5538eb2b205a94edfc22911dd1638

SHA1
f6573275a59ee86602134b6d3cfe9e6216427d62

SHA256
9c16d6286ed2b5b26d8fad193064c4f5178de892d2d20650ec49e8cd7078ae0e

SHA512
f805e7098e32862dd24e095470bf85cf52e185b864ea73b095cfb3dda3a5ff19239fe48bcb4be1e5f190f11504021ef721cc4b23621fb8005e77b2d11d4bf0dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9bb1d9a2dba65aefefb756ea78f57c5d

SHA1
46cc8e1d88f4a4e9a643bc5f93612dd57688960b

SHA256
1aa081f7879cfaeeef92581037a3b4f72cb8922a71034f3fad9a16d1d70cbe44

SHA512
0d0f42e4715dee54f9acc96d73bfe1f0dc60311884f09a64f6bb092b914592ced43b8ca7964ba7686c3db93e95a70b7b3d218e148eff1d48d13b7833d60ee522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
99d66a883d6fdb772fabfc3e77c20ab6

SHA1
a67ce7dd09181f6b72777dac201c50ce3a75d831

SHA256
137bb097269b433d0809a8f09b3076d31d051bd94ca19ec4550b62043f89fc70

SHA512
31804767e72b50f72066129f0cd3a2f29f05f542b21f96d7caba6f9c6e8af9dd05cdea29eebf7e94a7b29cf8af03bd3b5e63273de818007a5e40770230fbcf55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
61834041ae54918b1a7727eebf8b35cf

SHA1
0d9a8b4cf279a295e25c6f194f287649a14a8d7e

SHA256
5460cd6161123b5877f43840147447bcc30787b8fcf7fa3ca6c5a81431327f0d

SHA512
5d3ca06154ad65ccee90dfcf96ae24239e49d0b4148a4ec2045e107a6f86ac7dc53daa0a7b1725f99d8bb1684cf95551ef65940d1f17567afbaa9755f3711326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a2270da2be18d43fa2a1b16b7b2f80af

SHA1
49aa301bc78ebd82e24def3eac4267e9ed9a3e5a

SHA256
009085ce2b1116bfb39621b0d0d037fa3519ec5ebbf24f0d29e9b8ec19f314cb

SHA512
9f81e544eaea6ebf37bbeaf3d75ff3c1da9eb9c1f1915e51e1732a572cc4eb52f9a8a0d03dd7fbd998d68acc446346b537960ca29b4d705db92cdc06cf2ea473

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
535bd184b59076223a0354de6bf72f3d

SHA1
3948f5d403865d38f5ba90b00bb7d486bca6b367

SHA256
9203ad862169974799d1f8a5b77a934f53eef0770f93d56d1efa0e28cf548c73

SHA512
805ed24350e4683d327d92209611bf8eb6a42fd219aeecd25a20e04effac5b463cc9cc00b1e164d9d4700777397bf4cfaab1c04184e784b3259cd6e821c00452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
85a0eecaf6e76abad82923ceb7bf323b

SHA1
4046cc8188e390074aff3cf94e3324c7a9511025

SHA256
356d8d2fac347be0df65017d82bf076bea975be91c978a3488437ee407252b35

SHA512
d0f8a6d7374f10f8261e5a2f74005a1ebb347fd116ee198ae2cb34aec0fbeafbcf8d7394c1c3874f3b0e88420733ed13388dda0c13eb757e2877525f7631b430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8.dll

Filesize
2.3MB

MD5
74cf47683051f44e6fb55ac9360c717e

SHA1
93b1ab0a9e70a546c4b89dcb20a158dfc90b1421

SHA256
73e4969db4253f9aeb2cbc7462376fb7e26cc4bb5bd23b82e2af0eaaf5ae66a8

SHA512
8425057a65e7f7e39956b8b245bdcaf2d2e827664ee34693cd055ac92f37d1b4f285bac3acc3be9df67d99b1ab8edd4602d7b7bc80ba9eecc2979b8ab37cbb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE90A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF022.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/592-801-0x0000000000B00000-0x0000000000D5A000-memory.dmp

Filesize
2.4MB

Download
memory/592-798-0x0000000000B00000-0x0000000000D5A000-memory.dmp

Filesize
2.4MB

Download
memory/2524-807-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2524-805-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2524-804-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2684-8-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/2684-0-0x0000000002320000-0x000000000257A000-memory.dmp

Filesize
2.4MB

Download
memory/2684-1-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/2684-2-0x0000000002EB0000-0x0000000003030000-memory.dmp

Filesize
1.5MB

Download
memory/2684-3-0x0000000002321000-0x0000000002473000-memory.dmp

Filesize
1.3MB

Download
memory/2684-7-0x0000000002320000-0x000000000257A000-memory.dmp

Filesize
2.4MB

Download
memory/2684-9-0x0000000002321000-0x0000000002473000-memory.dmp

Filesize
1.3MB

Download
memory/2720-4-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2720-6-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2720-14-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2720-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2720-13-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2720-32-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download