darkgate | 964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837

Analysis

max time kernel
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
submitted
06-02-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_reader - Copy.exe
Size

3.9MB
MD5

0b3862697827944cc338f06ba9105afa
SHA1

c4b09f47e7942f487986622e61643c347311436a
SHA256

964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837
SHA512

6b1d4ececa6d88166ed538958ecc85731100600468484e4f52e826e0e7a2733dbb1eccaedc7ae66902fbd2cdf7acae2ee70d2cc65c745ed39d8ecf687f599224
SSDEEP

49152:xsoCGLD9MP+a3FLiyDxn8P7Sfcaf+eHMms:xsrBVV

Score

10^/10

darkgate xiputin2 discovery execution link pdf persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

xiputin2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
OvQSCXBO
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin2

Extracted

Family

darkgate

Version

6.1.7

Botnet

xiputin2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
OvQSCXBO
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin2

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 36 IoCs

resource	yara_rule
behavioral2/memory/2700-114-0x0000000005C20000-0x0000000005F7B000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-122-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-123-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-124-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-125-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2700-128-0x0000000005C20000-0x0000000005F7B000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-133-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-135-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-137-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-139-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-140-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-142-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-144-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-145-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-146-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-147-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-148-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-149-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-150-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-151-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-152-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-153-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-154-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-155-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-156-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-157-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-158-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-159-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-160-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-161-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-162-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-163-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-164-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-165-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2936-166-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/4540-167-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2700 created 3868	2700	Autoit3.exe	55
PID 2700 created 2588	2700	Autoit3.exe	31
PID 2936 created 4072	2936	vbc.exe	61
PID 2936 created 808	2936	vbc.exe	85

Executes dropped EXE 1 IoCs

pid	Process
2700	Autoit3.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hCFeGKe = "C:\\ProgramData\\cbhbdcb\\Autoit3.exe C:\\ProgramData\\cbhbdcb\\cchcdae.au3"	vbc.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2700	Autoit3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2936	2700	Autoit3.exe	98
PID 2936 set thread context of 4540	2936	vbc.exe	100

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x000600000002310d-11.dat	pdf_with_link_action

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133516991608194605"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2700	Autoit3.exe
2936	vbc.exe
2936	vbc.exe
2936	vbc.exe
2936	vbc.exe
2936	vbc.exe
2936	vbc.exe
4540	vbc.exe
4540	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	vbc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3120	1988	document_reader - Copy.exe	84
PID 1988 wrote to memory of 3120	1988	document_reader - Copy.exe	84
PID 3120 wrote to memory of 808	3120	chrome.exe	85
PID 3120 wrote to memory of 808	3120	chrome.exe	85
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 4968	3120	chrome.exe	87
PID 3120 wrote to memory of 1152	3120	chrome.exe	88
PID 3120 wrote to memory of 1152	3120	chrome.exe	88
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89
PID 3120 wrote to memory of 1784	3120	chrome.exe	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2588
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1cff9758,0x7ffe1cff9768,0x7ffe1cff9778
    3⤵
    PID:808
  - - \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:2
    3⤵
    PID:4968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:8
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1840 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:8
    3⤵
    PID:1784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3252 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4636 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4548 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1880,i,7128691268403935130,14900934193504481549,131072 /prefetch:8
    3⤵
    PID:776
- \??\c:\tes2\Autoit3.exe
  c:\tes2\Autoit3.exe c:\tes2\script.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cbhbdcb\fggdede

Filesize
1KB

MD5
d01556d9584a3a2945045b208ea5e9d7

SHA1
1ff56ee9bffeebfb27b2cc1c7e4d02747953dcd1

SHA256
891fc97a0e9e3ccef4b66bce05c2c9bbff4131fcbf0120083de0acd3c8a550d3

SHA512
d8b2ccbc85b94ec2d3ff2f09350cb72f7e3de95a919ecf8aa6bf1594420c46a82188778e89af1749c5e5ff9ebcd3791b55c9e5b363b400dac052aa9f550c828c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
629B

MD5
ca2ab225d8a8040733d363793dd54b6d

SHA1
b717908704403622b2456bb156b34f952056317e

SHA256
b5b25aa5803eca6c4c3c0b0e3f1fa3b816272d4f91599b86422182c316737041

SHA512
b051733f9f69ff0d3e6d48b1886116e4122777ee464e472dac4d16de2da1176f8d31518e43498d8455d2796927696903cbba5e42ad52172dd804b1cec7cce4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ea11450c582378c93ce09304b27490ef

SHA1
8de26258a3fdc2a20a161e7a9f655bc2c8672466

SHA256
a2eb7536ff2fc2c77a7417a846205eaa7c789456be1f5045c363116bb519a840

SHA512
45839fb54af5544bd5d8cc6e672461581df38aa5b6ec2f8473d3d4eca5917d1185807e4268319d39c73514c630d05a914f48057f7eccb780b7ead867ac8a8240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
3ef5753232af885421f4e6da45ec8c96

SHA1
d0a232d7285139e20d1105755d3e560ab7246330

SHA256
d84917d1c6235cc3f966a4bc226b35bc85baae2b4a35969c59a4e752195016e9

SHA512
60273b949049e792197e89c8c762d6ff30c6808759f9d30c4d093c85c4eb10ff735d6e2b4f63e7a55a5b4febf0cba38e2180ff972397d97dc8fb90f1a9260684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\hCFeGKe

Filesize
32B

MD5
e1da50ac18bd834fe8cf7263d5c94e5c

SHA1
ff169ed990935a9797e151cd81ec6fa70af9c021

SHA256
3991a35f8e507952c45602ecb1fa4dbde7f3853d794586865fe8b57abb35d481

SHA512
81350adadfed33d37c5068da3fe81862708157501e3abce6c75b2fcc1a3103b93497edba21580264744fdc770160db1fb257875771b06a2178b6d9ea466ed9ba

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
f5aa698b73b601b633dc83f8fb440f02

SHA1
842306c02587675030b66ca93f608eabbdaadf7f

SHA256
73cca2de7f65d02cc60e747ab37cd3eeea73586528ac0343a81afd5f1a62d9c6

SHA512
420c5b66b8a911034e26ab48190cb6fcbea810daf8b00a25eaa58d29aff81c5bc76b522d999863dbf2a21d5534bec17765fe226cdac95f1c8843e6751590bc2c

Download Submit
C:\temp\document.pdf

Filesize
448KB

MD5
a26f0dc347b844309a57cb651f03e243

SHA1
2d1c78b1b8d776cbbb6e443458e8733d8315b911

SHA256
68d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6

SHA512
8cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35

Download Submit
C:\temp\fs.txt

Filesize
4B

MD5
4b2207916d2f6bafa73e0b66bdfd0b44

SHA1
ac9407a412d17b5a9133012d9621dc459bd9bd28

SHA256
c24632e41f239245f327612ee89e7a63ef0f719776715e9c31e4e74f32d97cbb

SHA512
13025f3b9dba394c48f76ab5a7a231cc91f58ccde55b401186a0a09833c522fcb92bd7fdcc07217a108be70ec4efb3b0bf78674eae6ecd404dda82c45160d917

Download Submit
C:\tes2\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tes2\script.au3

Filesize
583KB

MD5
c37514367bf7b08d6cd30f938b33146a

SHA1
06f277690f2bbe71bdfc77ca227455657bd02c31

SHA256
9dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609

SHA512
3a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23

Download Submit
\??\c:\tes2\test.txt

Filesize
76B

MD5
4252e248997cb141c0d2b5211d9459f7

SHA1
cad24dbb355b37345b85c9e276931ba6b3a7dd1c

SHA256
c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8

SHA512
25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2

Download Submit
memory/1988-12-0x0000000000E80000-0x000000000127E000-memory.dmp

Filesize
4.0MB

Download
memory/1988-0-0x0000027DB0AB0000-0x0000027DB0AB1000-memory.dmp

Filesize
4KB

Download
memory/1988-63-0x0000000000E80000-0x000000000127E000-memory.dmp

Filesize
4.0MB

Download
memory/2700-113-0x0000000004580000-0x0000000005550000-memory.dmp

Filesize
15.8MB

Download
memory/2700-114-0x0000000005C20000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/2700-128-0x0000000005C20000-0x0000000005F7B000-memory.dmp

Filesize
3.4MB

Download
memory/2936-139-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-145-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-124-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-133-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-135-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-137-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-123-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-166-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-122-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-164-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-156-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-162-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-147-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-148-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-160-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-150-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-125-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-152-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-158-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2936-154-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-151-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-155-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-157-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-153-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-159-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-161-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-146-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-163-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-144-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4540-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download