darkgate | 9a3990e375cc3a3a9d6c659b5b5551900dcdc1e7fc8f807f85a951517c8ae96f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_reader.exe
Size

3.9MB
MD5

dd191e98e5c264b5078b13fe38566d7e
SHA1

5b8b2c15c9457bfd0ce9ed012c308f245ee6d92d
SHA256

9a3990e375cc3a3a9d6c659b5b5551900dcdc1e7fc8f807f85a951517c8ae96f
SHA512

72ee9f8fbab5beb5559c993941b1ec03e26ef6f8add89c89206e0283ea141cfa301cbb382fcac2bc4f6b2c9e88f64037f75dbb23f4477508848b8ef25be31289
SSDEEP

49152:zLaXnHEdxX+e3FLpgvDn8P7SM4af+QZ2asV:zLIIhGh

Score

10^/10

darkgate link pdf persistence stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 40 IoCs

resource	yara_rule
behavioral2/memory/564-28-0x0000000006380000-0x00000000066DB000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-119-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-121-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-120-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-124-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/564-134-0x0000000006380000-0x00000000066DB000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-139-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-141-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-142-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-144-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-147-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-149-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-150-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-151-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-152-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-153-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-154-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-155-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-156-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-157-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-158-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-159-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-160-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-161-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-162-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-163-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-164-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-165-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-166-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-167-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-168-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-169-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-170-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-171-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-172-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-173-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-174-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-175-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/2292-176-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral2/memory/5064-177-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 564 created 3868	564	Autoit3.exe	33
PID 564 created 3044	564	Autoit3.exe	29
PID 5064 created 3932	5064	vbc.exe	32

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
564	Autoit3.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\debbBFf = "C:\\ProgramData\\ekefbcf\\Autoit3.exe C:\\ProgramData\\ekefbcf\\kfgkccb.au3"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 5064	564	Autoit3.exe	101
PID 5064 set thread context of 2292	5064	vbc.exe	104

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x000600000002322a-14.dat	pdf_with_link_action

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133516991158490838"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
564	Autoit3.exe
5064	vbc.exe
5064	vbc.exe
5064	vbc.exe
5064	vbc.exe
2292	vbc.exe
2292	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5064	vbc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4320	1164	document_reader.exe	84
PID 1164 wrote to memory of 4320	1164	document_reader.exe	84
PID 4320 wrote to memory of 1212	4320	chrome.exe	85
PID 4320 wrote to memory of 1212	4320	chrome.exe	85
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 2836	4320	chrome.exe	87
PID 4320 wrote to memory of 4436	4320	chrome.exe	89
PID 4320 wrote to memory of 4436	4320	chrome.exe	89
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88
PID 4320 wrote to memory of 2784	4320	chrome.exe	88

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3044
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\document_reader.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e38a9758,0x7ff9e38a9768,0x7ff9e38a9778
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:2
    3⤵
    PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:8
    3⤵
    PID:2784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:8
    3⤵
    PID:4436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:1
    3⤵
    PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4136 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:1
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4836 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:8
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5360 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:8
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1904,i,14922231352193832187,1138610338376243270,131072 /prefetch:8
    3⤵
    PID:3888
- \??\c:\tes2\Autoit3.exe
  c:\tes2\Autoit3.exe c:\tes2\script.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ekefbcf\bdcbcba

Filesize
1KB

MD5
d722f327f2df0429610dc903d87a3640

SHA1
1fc64aad95267629441289922d79f38e1d848635

SHA256
c7d36ffecdc9b9ced642acfed2279bf61c1d6d96687d113feb72f2b4408052af

SHA512
d0099661fa889c86b4cf22c602d70f434b770b99b3979ed824d35284be36bc94dc37a8db494bb50f1c4eb68c82894119ed413ee91658008ec252cbcd7592076e

Download Submit
C:\ProgramData\ekefbcf\kfgkccb.au3

Filesize
583KB

MD5
c37514367bf7b08d6cd30f938b33146a

SHA1
06f277690f2bbe71bdfc77ca227455657bd02c31

SHA256
9dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609

SHA512
3a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
942B

MD5
4e07526bea76726b1f2bf91d5be9e7d2

SHA1
67682779677f67670c6fa012b9c50af4c94e5f27

SHA256
2e42081b41115e5be673737867465be328a08351abf706bae55e51ab173b2269

SHA512
8413a80a7b234a2bf25f4a9bb95f42fdd445a8de114b7afaacd91c26c3d0e7aadef084940f872973b04bd6fd841ffb6e757f97bdfd955682c5c284fa039f9444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7eecf47a70718c3cec274f687aaeb63c

SHA1
7f5a3a8da1e10d0e39228076bc4e86bcbcb391f9

SHA256
66814e29c44fc4cea109b43fa8debcd31da03da3d6cb4599fc9f1b02530f550b

SHA512
454c86c75aa5bf22006b1e6f58663acf60fd482370d2ab1f28ea0c200fa4438aa10ce5c57131f128c1de31c7b438205d64428ecae0fcacbfbb820399456bacb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6d84f5288904807e68bfdb9e5b230867

SHA1
31ca2cdd0f0a6a8f3957333137b468df06e8e9d6

SHA256
a1d8b9036d397c7613cfd14486f239166af837f1b2ca345c867e5aa6d5df7081

SHA512
c18dcafd05c22da2e233cbd398ff4e351a15acfed90c100fabbeb0f121218be329b81558b4ef0bb6de06a24ae94ee7e5065d58492f1f1b0f65a91fe7ab6e6e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
20860196d29174cefdf569ac1e03058d

SHA1
de14dc27fae21bfc7cefb6c50152b49d98f271c7

SHA256
4c3a205c0e1eeedcd55e257e4447c3843f0ae45ec486e802e7c2c06ced11d93c

SHA512
922e22bea14921ffff72ef0ea34846291c9bad3472c75a6ba079e24ec34d158dd3771a1159cc612bf7734ff1066b2d14b06433464b688a849c667cd63214299c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\debbBFf

Filesize
32B

MD5
d16f910300aca2b9abf6f8970ccbb7f9

SHA1
74e1709af8c4a94ebed4577c8259cbbc0e4a3fb4

SHA256
bbc52eac5e8df41f2078e05aa337a3077908706ccf21a55f0a282bc2fc631e56

SHA512
4fe46757d6d7460d9230eddc7d22965c759164e9d2844b41da8baf034ae39c4caca041e544ba5012ebc0801290755c21f27c60542f18bfd08ba98d4c95b38463

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
ea48958ef7c3bd915fb5bddf0ec2a77b

SHA1
2f0cb52ab5a0969a4e3b2311150091892210442d

SHA256
e706a62af651a5e364e890322b1f11d43de0c6393d6f9380616f199a129c8b1f

SHA512
820f0753d3a675c41f44e4982d71e76f704cd93732b41ff3a882c3961707f1fcdeeb3826fca3314e8eccb7adcf234fa2dd057f56c27bcf00f1420778013d6e88

Download Submit
C:\temp\document.pdf

Filesize
448KB

MD5
a26f0dc347b844309a57cb651f03e243

SHA1
2d1c78b1b8d776cbbb6e443458e8733d8315b911

SHA256
68d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6

SHA512
8cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35

Download Submit
C:\temp\fs.txt

Filesize
4B

MD5
9dd2f79bc3bc93e3b24711616f85d30e

SHA1
f65f521dda8a620e33b844c538c2e378e0ff20ec

SHA256
d2daed8b1f9fd677e928f45fdbdfbad65e1844d19d2a6bc69299938b35deff05

SHA512
d61f04eb793e18769dd45b4ac7797aa17504875ea754e6f333d10f4547ce4716dcb1bd5481fb6fcfa934cc47e22c1034c6ff348c3814658e5613d706870a7556

Download Submit
C:\tes2\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tes2\script.au3

Filesize
93KB

MD5
04fbbe98d0f0af1f2e0b7ec60760701e

SHA1
90a1d1487540c42764350aef6016071ed848a095

SHA256
1ad3ca93ee8190362aaf615214c5c34b453c01935d2785a47121b4e03699eb53

SHA512
8df2a2299035bebc5d6a8eae6418cabd8a3b4af4d7428cd097b25ba40490c69c52d2daa6f96598a8773934ed60104435f4297deb11d428b59066037931b14a18

Download Submit
\??\c:\tes2\test.txt

Filesize
76B

MD5
4252e248997cb141c0d2b5211d9459f7

SHA1
cad24dbb355b37345b85c9e276931ba6b3a7dd1c

SHA256
c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8

SHA512
25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2

Download Submit
memory/564-28-0x0000000006380000-0x00000000066DB000-memory.dmp

Filesize
3.4MB

Download
memory/564-27-0x0000000004CC0000-0x0000000005C90000-memory.dmp

Filesize
15.8MB

Download
memory/564-134-0x0000000006380000-0x00000000066DB000-memory.dmp

Filesize
3.4MB

Download
memory/1164-17-0x00000000003A0000-0x000000000079E000-memory.dmp

Filesize
4.0MB

Download
memory/1164-0-0x0000020490CC0000-0x0000020490CC1000-memory.dmp

Filesize
4KB

Download
memory/2292-147-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-156-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-176-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-174-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-172-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-170-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-168-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-166-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-164-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-149-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-162-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-151-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-160-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-158-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2292-154-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-150-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-121-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-157-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-153-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-159-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-152-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-161-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-124-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-163-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-119-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-165-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-155-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-144-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-169-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-171-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-141-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-173-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-139-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-175-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-120-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5064-177-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download