darkgate | 964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_reader - Copy.exe
Size

3.9MB
MD5

0b3862697827944cc338f06ba9105afa
SHA1

c4b09f47e7942f487986622e61643c347311436a
SHA256

964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837
SHA512

6b1d4ececa6d88166ed538958ecc85731100600468484e4f52e826e0e7a2733dbb1eccaedc7ae66902fbd2cdf7acae2ee70d2cc65c745ed39d8ecf687f599224
SSDEEP

49152:xsoCGLD9MP+a3FLiyDxn8P7Sfcaf+eHMms:xsrBVV

Score

10^/10

darkgate link pdf persistence stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 38 IoCs

resource	yara_rule
behavioral2/memory/1100-113-0x0000000006100000-0x000000000645B000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-123-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-126-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-122-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-121-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/1100-127-0x0000000006100000-0x000000000645B000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-134-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-136-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-138-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-140-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-142-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-132-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-143-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-144-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-145-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-146-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-147-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-148-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-149-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-150-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-151-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-152-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-153-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-154-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-155-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-156-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-157-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-158-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-159-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-160-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-161-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-162-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-163-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-164-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-165-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-166-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2980-167-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/116-168-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1100 created 4896	1100	Autoit3.exe	43
PID 1100 created 3712	1100	Autoit3.exe	55
PID 116 created 2420	116	vbc.exe	84

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1100	Autoit3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EEfcEeH = "C:\\ProgramData\\eaebbcc\\Autoit3.exe C:\\ProgramData\\eaebbcc\\fcfhchc.au3"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 116	1100	Autoit3.exe	101
PID 116 set thread context of 2980	116	vbc.exe	104

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x0007000000023206-11.dat	pdf_with_link_action

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133516973919574425"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
1100	Autoit3.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
116	vbc.exe
2980	vbc.exe
2980	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
116	vbc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe
Token: SeShutdownPrivilege	1336	chrome.exe
Token: SeCreatePagefilePrivilege	1336	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe
1336	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 1336	3264	document_reader - Copy.exe	83
PID 3264 wrote to memory of 1336	3264	document_reader - Copy.exe	83
PID 1336 wrote to memory of 2420	1336	chrome.exe	84
PID 1336 wrote to memory of 2420	1336	chrome.exe	84
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 4588	1336	chrome.exe	89
PID 1336 wrote to memory of 3776	1336	chrome.exe	88
PID 1336 wrote to memory of 3776	1336	chrome.exe	88
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86
PID 1336 wrote to memory of 3444	1336	chrome.exe	86

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3712
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:116

C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdde279758,0x7ffdde279768,0x7ffdde279778
    3⤵
    PID:2420
  - - \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:8
    3⤵
    PID:3444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:1
    3⤵
    PID:4024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:8
    3⤵
    PID:3776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:2
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:1
    3⤵
    PID:2600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4108 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:1
    3⤵
    PID:4520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4320 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:1
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:8
    3⤵
    PID:2328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1876,i,11529436353680762443,814347772191856819,131072 /prefetch:8
    3⤵
    PID:3088
- \??\c:\tes2\Autoit3.exe
  c:\tes2\Autoit3.exe c:\tes2\script.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eaebbcc\fabchek

Filesize
1KB

MD5
04539dfdbc555f4fd31f48e87c5be8a2

SHA1
fd0920c20c648185f73bc925b0c7752276c8ab1c

SHA256
8b5ead9e54d40aed1d5f93d3640e6a58e9e4ff4b9f1b525da870c594ebfbe456

SHA512
e4809ef16d8fe023e9f57ebc2b1f91991611fa2af20d617cde66290bc302a2aae82d4a05674e2826388d563cbf8242d77238b6f78d0a2402c28c794b40c69e5e

Download Submit
C:\ProgramData\eaebbcc\fcfhchc.au3

Filesize
59KB

MD5
70f62026e0fc6c937f1ad0aa1436b177

SHA1
9ab094f6d175d7111256ee4ceda25344cf4e8447

SHA256
79fe17de2707e9e0c0f299f9be0d084eac8454955f0ae048d2db58fffd38f66e

SHA512
cb8ebf586ea5883da3bf44498a9839aa3f621c6df5401f323867d922b860aec1479dd61f6700b9c8763c535fe05718ec0c7a9806d614f60e7c5e57517f2ee648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
824B

MD5
53bb29cff6508adc1d85e47425fe8163

SHA1
335d1598493b26069f77559fd32270b0465b8cb0

SHA256
65fb1e6bd538aadf89f61b34f6e40bd525bfc5368d67213797f359d419f562c4

SHA512
7907c651c89a290b3e23066c089b913650a56e200c9ba8ca7df17aeeeff4e90895507f0075c1b457ec1b507070a29aa9a7dc316b0e51b4120ee28f88b53cbbc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
57ad6094e729322141b7e8363cc1e964

SHA1
d7c0506cf2cd30f4cfb6026390151c842f348e2b

SHA256
8e6e5983579228525e8c87c54fa2ebd3d7bcaac239878c32d2aa8489fcbc0a4a

SHA512
c8f89c35fb46923cb91bfa7c697ceb904330cc063106024c9571bfacd9743c46f7633320cd3dfa61a6b3d60d707255d0bb83ceb10ff0b9fd33b91c63dfbc9525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
2fc4cdfa787c53f04697b6fdc4ad8404

SHA1
53de6b0f89009074fcc9579f6ee6e73caf278248

SHA256
96b53feebf5e872cd1173bbaa966d9d36d5d054b115d39c0c00b82cebe6e92e6

SHA512
420a4035dc924c69acc33093e91010bcaef5a7a51bc9bedcfdc5e7ce0cea8a8e318942cc8ead9cfa69b5adb66a685a109a919770fc99e28c88b27db0d4ca0c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
58KB

MD5
9e974b0036ae2683448d80a15e723fc9

SHA1
cc198a469810b84ad8c3db5bf2619d95861e1e78

SHA256
c02d2772585c048908f7db7e46dc17bf0930c6c7c4b7a650fdc426c4db22ac5f

SHA512
df3cca8cc82993641483b82c7b09365e4b1c901fe6da62b6edfdd4a72030ca8be3d16e46134ca48be9a94a890ccb868c619133e9dbb6eab71cac707e0fab4466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\EEfcEeH

Filesize
32B

MD5
c680543adf013d796b0becb6785118cd

SHA1
c169019fd887eea3a9e1d631503d91a0373c374b

SHA256
afb1956354e6e6002933d625ca1ccd82d9ddd2836a25dec17ee398b438f51438

SHA512
14ebb4bdfc5e0d837977cfce53d25b07afbd2e9e7f93c889fcb8b8320965889f882b7274ac11a153dd807d639b288989dc35e017e5542fafe41ad8301c29f563

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
4405b4b3f8a5f58f888b7a3887025053

SHA1
69bf56fe85b2e54b288823ffd724da46bce7c5c7

SHA256
954b68c1d6d46814febe466142a2f72f59198aa3458ef58e887ebbeb04d89f43

SHA512
2a18815824b1d2baa5756d53c4c900cea21343f9ce0ed77dc5873dc1f8bffa1d32644fe481c93368882efb14f034e467b43ea3b59928985d9d584b616db37cea

Download Submit
C:\temp\document.pdf

Filesize
57KB

MD5
a49dca02ca133af8246aa13c830cb0e8

SHA1
6f781714243f4a0ddd912ae412ee3d9ee672c5e2

SHA256
5c76b16e40265e45b3bae1de599f99c6799992a2fd7cf93d764c6b90b31852aa

SHA512
d32281dc4a8de8e5c6b81e20b259bda4af39354dd0939c2cb7790c81b27a45d37e7bd653a9944663d8123964216629a2b5c9a4d90de5f8016f9829df757952ce

Download Submit
C:\temp\fs.txt

Filesize
4B

MD5
08571f1a7dea3adb46852a136fda1799

SHA1
6d14ae98d11bd84bb69a0db18bf74607d4eb3e02

SHA256
fa4a948a344c1f3916e2bb8899ce22cf4ff7069b013e35f5f5cc0382652f6b5d

SHA512
99d171d072a27ec8fbb93bc35fb226de82f950a04627edde8c5d35de9a178525eb060c2fca1ab340055f4707b08cf9b1ace1e3cfbb0a4aa00db949f6dcaa3095

Download Submit
C:\tes2\Autoit3.exe

Filesize
53KB

MD5
be51441ac5f6b1fe53142717645dc290

SHA1
548d01b6ceb4ca656cb7fb0fc13c4ac863fd6e1d

SHA256
995a5750b2c236c1029ae47d5ecaede575ef2e6d3174e34bf680c9a3cc054b21

SHA512
78db6b908c927e001a8a9e08824cfc687f9a99a862368f34c7b88d5a3fde5a8730e1dd702c18b48e6a1d8a06bbaafb3efcf4699a930ea557dcc3f32599d1736a

Download Submit
\??\c:\tes2\Autoit3.exe

Filesize
92KB

MD5
78b0bf4cb430e6a571386020fe2a1f44

SHA1
7a92623bee0b4c302ecb7ab10d703805574a8b97

SHA256
6a613b5f0943e3e5fea1cc9f28269c15eae9eafc48d9d3136da58485eb719eb7

SHA512
dfa3d8c9b55fe1eb47ecbf9772bd8c96493cbc4e14d1bfd3423711b52a6bf1c69a356063e144e79d69dd26bf4e5859746158223e15fb2a952a358d0ee328374b

Download Submit
\??\c:\tes2\script.au3

Filesize
48KB

MD5
4d5d63cb76017b473689b3e2b395eba0

SHA1
8643771d5f711506078d20b0e7cf09d01d3a418b

SHA256
82a5f36a3d09cc7e24c2a39675e8138184ae63cc245aa08b2310342c9b439b52

SHA512
678f6df5c9b77e261e0de822db4634fe43b540d037fae03499a4f8d6bfad192733377bc7f25ef19355255bd77ad758fbfe49637a54f2dba7704285c1410969e0

Download Submit
\??\c:\tes2\test.txt

Filesize
76B

MD5
4252e248997cb141c0d2b5211d9459f7

SHA1
cad24dbb355b37345b85c9e276931ba6b3a7dd1c

SHA256
c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8

SHA512
25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2

Download Submit
memory/116-132-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-160-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-122-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-121-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-152-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-123-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-156-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-150-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-134-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-136-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-138-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-166-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-164-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-168-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-154-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-143-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-162-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-145-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-146-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-126-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-148-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/116-158-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1100-113-0x0000000006100000-0x000000000645B000-memory.dmp

Filesize
3.4MB

Download
memory/1100-112-0x0000000004A50000-0x0000000005A20000-memory.dmp

Filesize
15.8MB

Download
memory/1100-127-0x0000000006100000-0x000000000645B000-memory.dmp

Filesize
3.4MB

Download
memory/2980-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-147-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-155-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-151-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-157-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-159-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-153-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-161-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-144-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-163-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2980-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3264-0-0x00000201BB010000-0x00000201BB011000-memory.dmp

Filesize
4KB

Download
memory/3264-108-0x00000000009B0000-0x0000000000DAE000-memory.dmp

Filesize
4.0MB

Download