TrickBot Execution Flow

If you want to support me, follow me on Patreon:
Trickbot execution stages
Stop the Defender service
Delete the Defender service
Using Powershell to disable the Realtime Monitoring feature
Malicious process launched from AppData
Fake svchost.exe is launched
Example: C2 config is created
File being written to disk
Another example
Stack view
C2 info loaded to memory
Example of a config file
End of code on a non-infected machine
End of code on an infected machine



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Thakur

Vishal Thakur


DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.