Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
document_reader - Copy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
document_reader - Copy.exe
Resource
win10v2004-20231215-en
General
-
Target
document_reader - Copy.exe
-
Size
3.9MB
-
MD5
0b3862697827944cc338f06ba9105afa
-
SHA1
c4b09f47e7942f487986622e61643c347311436a
-
SHA256
964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837
-
SHA512
6b1d4ececa6d88166ed538958ecc85731100600468484e4f52e826e0e7a2733dbb1eccaedc7ae66902fbd2cdf7acae2ee70d2cc65c745ed39d8ecf687f599224
-
SSDEEP
49152:xsoCGLD9MP+a3FLiyDxn8P7Sfcaf+eHMms:xsrBVV
Malware Config
Signatures
-
Detect DarkGate stealer 39 IoCs
Processes:
resource yara_rule behavioral2/memory/3616-28-0x0000000006260000-0x00000000065BB000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-107-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-120-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-121-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-127-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/3616-130-0x0000000006260000-0x00000000065BB000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-135-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-137-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-139-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-141-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-142-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-143-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-145-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-146-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-147-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-148-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-149-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-150-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-151-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-152-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-153-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-154-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-155-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-156-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-157-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-158-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-159-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-160-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-161-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-162-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-163-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-164-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-165-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-166-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-167-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-168-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-169-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1448-170-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 behavioral2/memory/1592-171-0x0000000000400000-0x0000000000472000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Autoit3.exevbc.exedescription pid process target process PID 3616 created 3772 3616 Autoit3.exe DllHost.exe PID 1448 created 2696 1448 vbc.exe taskhostw.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 3616 Autoit3.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hCFeGKe = "C:\\ProgramData\\dhbdbgc\\Autoit3.exe C:\\ProgramData\\dhbdbgc\\efdghfb.au3" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Autoit3.exevbc.exedescription pid process target process PID 3616 set thread context of 1448 3616 Autoit3.exe vbc.exe PID 1448 set thread context of 1592 1448 vbc.exe vbc.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\temp\document.pdf pdf_with_link_action -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exevbc.exevbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133516991162292599" chrome.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
chrome.exeAutoit3.exevbc.exevbc.exepid process 2040 chrome.exe 2040 chrome.exe 3616 Autoit3.exe 3616 Autoit3.exe 3616 Autoit3.exe 3616 Autoit3.exe 3616 Autoit3.exe 3616 Autoit3.exe 1448 vbc.exe 1448 vbc.exe 1448 vbc.exe 1448 vbc.exe 1592 vbc.exe 1592 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1448 vbc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe Token: SeShutdownPrivilege 2040 chrome.exe Token: SeCreatePagefilePrivilege 2040 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe 2040 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
document_reader - Copy.exechrome.exedescription pid process target process PID 1484 wrote to memory of 2040 1484 document_reader - Copy.exe chrome.exe PID 1484 wrote to memory of 2040 1484 document_reader - Copy.exe chrome.exe PID 2040 wrote to memory of 520 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 520 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1432 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 420 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 420 2040 chrome.exe chrome.exe PID 1484 wrote to memory of 3616 1484 document_reader - Copy.exe Autoit3.exe PID 1484 wrote to memory of 3616 1484 document_reader - Copy.exe Autoit3.exe PID 1484 wrote to memory of 3616 1484 document_reader - Copy.exe Autoit3.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 3164 2040 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1448
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2696
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe353d9758,0x7ffe353d9768,0x7ffe353d97783⤵PID:520
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:23⤵PID:1432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:83⤵PID:420
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:83⤵PID:3164
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:13⤵PID:5032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:13⤵PID:4432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:13⤵PID:4392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3732 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:13⤵PID:1976
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:83⤵PID:1516
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1860,i,5966254301662210989,12406785416960097495,131072 /prefetch:83⤵PID:1212
-
\??\c:\tes2\Autoit3.exec:\tes2\Autoit3.exe c:\tes2\script.au32⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3616
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58dd6d440183acdf6c4b9036b71380fb0
SHA19efef10c7975657ed6f755b7fa361ef2861f740e
SHA256c90485928b47b58b9b98c1ba22b92030f76ab95421fa3dc59fdad00859ba5fde
SHA512bd855fb8ecaf47b76c0cd86d9f1de20d06161532ab7b89d1bc7bbc747bc1e63ea39f19aec031db9c2e0d7d41909399d0b57e61b2295a97f6c0b952016f76dfc1
-
Filesize
629B
MD5e1b6bf7532564bccc85a42bfd3ed09fc
SHA1270f663e72d9b8b02b70d233973e77dc74421eee
SHA25699c3d5414243f66423ffeaf59e221282b11d5c33bf6dca683b56c8fead59bd47
SHA512f83b8074f52939eb786c44dfba0dfd79af5f961aeb1fba50c1a93be4fae174413bad61786a48abf48f2ba45c164db4edba12903e292b6691028ca8a9c81977ba
-
Filesize
5KB
MD569e4ec11d675dc8b68028c02b97023f2
SHA1678d1e5e96c7e05a090c19cf36b73d691e84a049
SHA25626aa1790297ee8f71af7cafa081bb439b601cc0da5ff8cecf89836af85e3be4b
SHA51264549f4eda67dad3adf7089aeced5f5bd67ad9cf77f11542b1aa780c5b5af6d8b8126085318af022042693e04a4b78991a69c8533018bb24c8abd4267df5359e
-
Filesize
128KB
MD5bcf14183b78ead8091e0027b03a23f8a
SHA1ac93f68c801e1c4345a9d005d861e6921fe514ff
SHA256da391a2b503ef637571c961aa550ba15a0ee891d56560a668625c173a50eef97
SHA512abdbbc872c82ec40304a5df1eaa30c44c8275050d9fbb1e896b99c8439e4aabc857378d36d548bf232c48367006e4b1de824ca6554316ae38ef2cfc372334bf5
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
32B
MD5602f0859d2869bf862a790a3bb2dba5e
SHA17de133ff93509ea749898fbe1f2e6e8a12bb6390
SHA25614e32ee42768c963c6a9caa2f21be397493c7b02290f624fa2aeb954358e2975
SHA512e1ac85f32bda84a7b4f2fe9cad7b4264e1121179ff3b2e944350e8fb6e282c5c94b3a5604bbd9c53d42345f63df208809bd0d774074f02bea5878994ab2131ab
-
Filesize
4B
MD5a1edb1cfb617e95114d17a06c27823e0
SHA102bb843da4e0041766897a8f549e2fef8507b646
SHA256fe005fea2084712e00ef1e4fc2d9eb877c7491f4a26296f1ff97c13129abdc60
SHA512a64dcc7e8ce715d93b376ac98d1d6cdf28c27759b6a333c5947a227aaf357151ee9f87083adef3f09faa49757b94e70c26ae318ce70f00e775e0a9dee34e0f45
-
Filesize
448KB
MD5a26f0dc347b844309a57cb651f03e243
SHA12d1c78b1b8d776cbbb6e443458e8733d8315b911
SHA25668d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6
SHA5128cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35
-
Filesize
4B
MD5ded0b0f1cba9196c43d6bc4900f6e5ed
SHA101862a3709869af9f5971e17488a99caf6edfd35
SHA256e344b20b5c55435fc6bba90fd47903befa086207a3e77cf213f473e9de66a1b1
SHA512b0d0e1f385d922597df559e6c7abf193e99eba735b24ce014a4914efc761a13bf0b2705c62b057f66eb5881d645eb90617d1104d1e3fe57d686237c3de004875
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
477KB
MD5eee5e08f818497f64d26f8969f9640a1
SHA1bda31b6c209232a732fc3b0ff1e136824f4a4780
SHA256ac492754c566f98d21e65dc95c784ddbbcc47ea50c4ff2224e5cc5bb15494848
SHA5129b06a8812cecf5dae96a1e5eb235b5370f8bb44ada6f02f05db8ab068e765e4365e9b6e6b24d39b6d5fa116ff01e9bec9e78a75c025745c1b4af42284be90d8f
-
Filesize
583KB
MD5c37514367bf7b08d6cd30f938b33146a
SHA106f277690f2bbe71bdfc77ca227455657bd02c31
SHA2569dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609
SHA5123a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23
-
Filesize
76B
MD54252e248997cb141c0d2b5211d9459f7
SHA1cad24dbb355b37345b85c9e276931ba6b3a7dd1c
SHA256c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8
SHA51225ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e