darkgate | hxxp://206[.]188[.]196[.]222/ex[.]zip

Analysis

max time kernel
222s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://206.188.196.222/ex.zip

Score

10^/10

darkgate admin000 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin000

145.239.202.110

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WXMqRdAD
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin000

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 12 IoCs

resource	yara_rule
behavioral1/memory/2052-105-0x0000000005B70000-0x0000000005EBF000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-111-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2052-112-0x0000000005B70000-0x0000000005EBF000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-116-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/4044-122-0x0000000002300000-0x0000000002AA2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-123-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-124-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-126-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-125-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/4044-128-0x0000000002300000-0x0000000002AA2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1556-150-0x0000000002E40000-0x00000000035E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/4044-152-0x0000000002300000-0x0000000002AA2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2052 created 3000	2052	Autoit3.exe	53
PID 1556 created 3756	1556	GoogleUpdateCore.exe	110

Executes dropped EXE 1 IoCs

pid	Process
2052	Autoit3.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133547463453823418"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
404	NOTEPAD.EXE
4136	NOTEPAD.EXE
4876	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe
2052	Autoit3.exe
2052	Autoit3.exe
2052	Autoit3.exe
2052	Autoit3.exe
1556	GoogleUpdateCore.exe
1556	GoogleUpdateCore.exe
1556	GoogleUpdateCore.exe
1556	GoogleUpdateCore.exe
4044	GoogleUpdateCore.exe
4044	GoogleUpdateCore.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
3244	chrome.exe
3244	chrome.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1556	GoogleUpdateCore.exe
4044	GoogleUpdateCore.exe
4168	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe
Token: SeShutdownPrivilege	2992	chrome.exe
Token: SeCreatePagefilePrivilege	2992	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
3228	7zG.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
2992	chrome.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe
4168	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3748	2992	chrome.exe	89
PID 2992 wrote to memory of 3748	2992	chrome.exe	89
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 2692	2992	chrome.exe	91
PID 2992 wrote to memory of 1280	2992	chrome.exe	92
PID 2992 wrote to memory of 1280	2992	chrome.exe	92
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93
PID 2992 wrote to memory of 4920	2992	chrome.exe	93

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3000
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://206.188.196.222/ex.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaee19758,0x7ffcaee19768,0x7ffcaee19778
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=980 --field-trial-handle=1876,i,16173392281527647428,7032820533386383107,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3996

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3756
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ex\" -spe -an -ai#7zMap17664:66:7zEvent4037
1⤵
- Suspicious use of FindShellTrayWindow
PID:3228

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ex\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\ex'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172
- C:\Users\Admin\Downloads\ex\Autoit3.exe
  "C:\Users\Admin\Downloads\ex\Autoit3.exe" script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4168

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ex\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4136

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ex\test.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\defddhb\ghedccd

Filesize
1KB

MD5
74bbd37466e69822cc7848adaa0d2ccd

SHA1
9c8cb736aef9afb0e48cf5c7c8cfc5f29d93bb20

SHA256
328e88d7f9e8b81e6459dab3354d4fa2b58388c73859c9c187235b38d1703596

SHA512
e5bd8e7b953fd91c95035cc2fe17bb4d27108e056453ba7f6af1b7cfda610ad93affe61d62a9799294abfa8f1230db77927e87b20ae0b2e33ec27a19d91a1ec7

Download Submit
C:\ProgramData\defddhb\hhdehge.a3x

Filesize
471KB

MD5
efe551a38a99dcadb580a2db1474352e

SHA1
d1e5d154c05dec4d7bdffdddb9555adb1dbd7b9d

SHA256
c93d702d8339e733d8f9aafdf2383c94e7dec9cb7e96dd74243497f385b947eb

SHA512
a87228cac6a024c87a4a9ef4935ebe8180721ac82bf05c13ef9a112817667e9ea108864aa32c34c9356aebc972e9afd985c03157ffec7dcd28fa79f8f67173cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d000be93248582bc1d729be5ff0c3b2f

SHA1
b3e18e25613bf7534cab8a41d17b7d8a1229ad6b

SHA256
dd9fd1f91f98c4930bb708d3c0212c3019c510577c22cd1b79c63349a000e93b

SHA512
ddc869d42d8af0f56d3e87138ce4a94f6dcb3562ae1838073cb3e0b5db284a500a4d22f1181dc23b3d1e63e5dbfb7b643085be10a713feba0c8b923d34051719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5c154d9ae8561788dc4d279ef4fe8c40

SHA1
21c61242f116b11c5698f75324fa30df430089ec

SHA256
6075574e82fe3ff23a77078698cb7f54eaa1de03dc1a5303fd3103293e503f21

SHA512
5e94fb502b0533b618cafbcf3f4b8a434676119b756bdd0852b2d1ef0179410115c051e4d2745ceef765b9060f5259d33d2c0cd333f289200d7520538f2aae15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
1e61dacbeeac14850a00dd19ebc32361

SHA1
14e1559d05c7cfb451c0bc086d18647fd2540779

SHA256
8918e0025e555a9d461df96d4cd418148a2eee8eface032ff8612be29c5f9d41

SHA512
cf82b516e31902b199e483a674289689333b33444b4d682ad264ca0a920b3966baa698664a81d7ee4444d33f35025e3b0235d182842c2b2db6bbcc77ce72ede8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0hihrvv.xro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DEKdccK

Filesize
32B

MD5
4537180498ead33af7488420bdd47e36

SHA1
b642e20f7f7b70c1eeedc58f01a2e6608e038162

SHA256
579758bfee6f690dc3dcda5991b6c26748a34d238ae2f4bfc75d4d01ea9f9265

SHA512
0d594abd75e014f05f5c2f9b2a621ca4b7ca3e1b0ebfa37ce5998f150ad100edf30a2a56ae68d7ac5f8750fb9bfbf946919a365892864683fcb1de55aa155e8c

Download Submit
C:\Users\Admin\Downloads\ex.zip

Filesize
736KB

MD5
c9cc24ad1e246113f1faede93cab6dfd

SHA1
d0abdc0ddb2b1f90509f69f507bb3aa205cade12

SHA256
c41d1cd112b510efcb5c2147a51084db130d769559ff9415339e696f59efe7f9

SHA512
327ccded1d467effde201f255f9708ef3b4842ac06e2170154e4830b85d1f7215fe0dae270bb964bd2bb7024a45440910720a6ed423131187c100c9bdbcb0f7d

Download Submit
C:\Users\Admin\Downloads\ex\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Downloads\ex\script.a3x

Filesize
468KB

MD5
09c72552b42b0fae2552c41acfbb7cf2

SHA1
6669f042ebb9db63e17e153fc8995b0590805f2c

SHA256
0bb0d54ffd2039653da143e12d566018e54309dddef9f6606d2d7484d27e65f0

SHA512
6f0d47e8d329b8da0f99f50f2e602eb79a5f18bb9ba619223df821c17e329651b56673fe1bf5b5af0ffe199e36cd4e6b39f244fe3b63ae09c314226777ce529c

Download Submit
C:\Users\Admin\Downloads\ex\test.txt

Filesize
76B

MD5
23e148a3d47b55033e9cca832d3f9725

SHA1
c973359fbdd34453f527b13780da41986e78b768

SHA256
9fb6cfff8eaaa0acac13a86f6626a9f9034ba7063daf33c4acb1d692dcbd70f4

SHA512
269368c92495a0b54b84eabbd216fac2db9c07f8ea445d68bbf2210ef76c0cedfff8ff892e3e00495122bfb455abbf18a25bfbc0dc34910f98c2320cc3e0d754

Download Submit
C:\temp\fcdhcgf

Filesize
4B

MD5
511fdcab9b3c302659033145925c4d09

SHA1
a7684de1f5889a0f903af5e0e71741b36088613b

SHA256
2621cbaefc4d5bd40662c7de6777cc48a2ea8efea062bb3628228572a84ba8ff

SHA512
3ff26e11209f223088d6088da760353ec87f09263a55b073e049e258b0002cf3942f8f49fdcb931c0b4a5e6c3e23e143f0c17f071b80addeb996d971b4dd4874

Download Submit
C:\temp\fehdcac

Filesize
4B

MD5
caa3a07ab3ee3b6a39c7037c34575f97

SHA1
30c24345004a5aa7149e2d154cde4d6b88854531

SHA256
569aba654fe8ccb5b535d6c11c0595e8ae2ead58c51f1f6573cf834e2652d63d

SHA512
7e452da393a3fe54b23662a3a827ea423dd17bd0454ed8c8b99fa41b4a090b1284e80c1ef6efe18a03a179a709a20390f6ed96990fa4c71402603dd24f14bdcc

Download Submit
C:\temp\fehdcac

Filesize
4B

MD5
da8d839ebc61d5e2846d207417848de1

SHA1
15ca1dbf86b77f327c286d69cc05680421531559

SHA256
accf00dcaa5f763f5e30a03485e9a0c2aab39c2608808a6554f0f7c21a30e361

SHA512
c6d4b5c27f441901ab6ba49ae40ebc99ef2ab8904fc83cc5abf9d43a9f0e863adc1b09a9d06a3fbb3da6da43f17d47fc39dc041032e2d98933babb715d2dd020

Download Submit
memory/1556-126-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-124-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-123-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-116-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-125-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-150-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/1556-111-0x0000000002E40000-0x00000000035E2000-memory.dmp

Filesize
7.6MB

Download
memory/2052-97-0x0000000004680000-0x0000000005650000-memory.dmp

Filesize
15.8MB

Download
memory/2052-105-0x0000000005B70000-0x0000000005EBF000-memory.dmp

Filesize
3.3MB

Download
memory/2052-112-0x0000000005B70000-0x0000000005EBF000-memory.dmp

Filesize
3.3MB

Download
memory/4044-122-0x0000000002300000-0x0000000002AA2000-memory.dmp

Filesize
7.6MB

Download
memory/4044-128-0x0000000002300000-0x0000000002AA2000-memory.dmp

Filesize
7.6MB

Download
memory/4044-152-0x0000000002300000-0x0000000002AA2000-memory.dmp

Filesize
7.6MB

Download
memory/4168-133-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-131-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-142-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-143-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-141-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-139-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-140-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-138-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-137-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4168-132-0x00000216FFAF0000-0x00000216FFAF1000-memory.dmp

Filesize
4KB

Download
memory/4172-88-0x0000024CB9170000-0x0000024CB918E000-memory.dmp

Filesize
120KB

Download
memory/4172-102-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-85-0x0000024CA0950000-0x0000024CA0960000-memory.dmp

Filesize
64KB

Download
memory/4172-84-0x0000024CA0950000-0x0000024CA0960000-memory.dmp

Filesize
64KB

Download
memory/4172-86-0x0000024CB9120000-0x0000024CB9164000-memory.dmp

Filesize
272KB

Download
memory/4172-87-0x0000024CB91F0000-0x0000024CB9266000-memory.dmp

Filesize
472KB

Download
memory/4172-110-0x0000024CA0950000-0x0000024CA0960000-memory.dmp

Filesize
64KB

Download
memory/4172-89-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-100-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-130-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-109-0x0000024CA0950000-0x0000024CA0960000-memory.dmp

Filesize
64KB

Download
memory/4172-119-0x0000024CA0950000-0x0000024CA0960000-memory.dmp

Filesize
64KB

Download
memory/4172-144-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-83-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-82-0x0000024CA0990000-0x0000024CA09B2000-memory.dmp

Filesize
136KB

Download
memory/4172-155-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-159-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download
memory/4172-163-0x0000024C9FD70000-0x0000024CA0831000-memory.dmp

Filesize
10.8MB

Download