darkcomet | aecef6d3695122c47aa63b8987aad0155c36b54016a3bab9b59c216ac8e53027

Analysis

max time kernel
71s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-04-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prevmkali.exe
Size

251KB
MD5

e556b66a52ae28b3c877a9f3c419c5e3
SHA1

3a71dfde7b64c92cca1a023d0c807364d7d4cc1f
SHA256

1993dacf9211a1dab3c7cca176add0714f3061a7c9cb2edaacd31448c16c746a
SHA512

cd8b4a5ba819848cf48b8e59da0099324b06c54bb913381720e612e003a47cef583b4f96947d70a40e41445a802d4368835d339c0a2a2b5c7b91bfbd604df277
SSDEEP

6144:TdcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37k1:TdcW7KEZlPzCy37

Score

10^/10

darkcomet guest16 evasion rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

6.tcp.us-cal-1.ngrok.io:12638

127.0.0.1:1337

Mutex

DC_MUTEX-RSWN5YL

Attributes

gencode
7gEewe3dp4fF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

prevmkali.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" prevmkali.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	prevmkali.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	prevmkali.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2372-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2372-147-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2372-149-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2372-150-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2372-151-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	prevmkali.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 6.tcp.us-cal-1.ngrok.io
26 6.tcp.us-cal-1.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	6.tcp.us-cal-1.ngrok.io
26	6.tcp.us-cal-1.ngrok.io

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2776 chrome.exe
2776 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

prevmkali.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2372	prevmkali.exe
Token: SeSecurityPrivilege	2372	prevmkali.exe
Token: SeTakeOwnershipPrivilege	2372	prevmkali.exe
Token: SeLoadDriverPrivilege	2372	prevmkali.exe
Token: SeSystemProfilePrivilege	2372	prevmkali.exe
Token: SeSystemtimePrivilege	2372	prevmkali.exe
Token: SeProfSingleProcessPrivilege	2372	prevmkali.exe
Token: SeIncBasePriorityPrivilege	2372	prevmkali.exe
Token: SeCreatePagefilePrivilege	2372	prevmkali.exe
Token: SeBackupPrivilege	2372	prevmkali.exe
Token: SeRestorePrivilege	2372	prevmkali.exe
Token: SeShutdownPrivilege	2372	prevmkali.exe
Token: SeDebugPrivilege	2372	prevmkali.exe
Token: SeSystemEnvironmentPrivilege	2372	prevmkali.exe
Token: SeChangeNotifyPrivilege	2372	prevmkali.exe
Token: SeRemoteShutdownPrivilege	2372	prevmkali.exe
Token: SeUndockPrivilege	2372	prevmkali.exe
Token: SeManageVolumePrivilege	2372	prevmkali.exe
Token: SeImpersonatePrivilege	2372	prevmkali.exe
Token: SeCreateGlobalPrivilege	2372	prevmkali.exe
Token: 33	2372	prevmkali.exe
Token: 34	2372	prevmkali.exe
Token: 35	2372	prevmkali.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

prevmkali.exe

pid process

2372 prevmkali.exe

pid	process
2372	prevmkali.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

prevmkali.exechrome.exe

description	pid	process	target process
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2372 wrote to memory of 2716	2372	prevmkali.exe	notepad.exe
PID 2776 wrote to memory of 2860	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 2860	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 2860	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe
PID 2776 wrote to memory of 764	2776	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	prevmkali.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	prevmkali.exe

C:\Users\Admin\AppData\Local\Temp\prevmkali.exe
"C:\Users\Admin\AppData\Local\Temp\prevmkali.exe"
1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:2716

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5569758,0x7fef5569768,0x7fef5569778
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:2
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2340 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:1
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:1
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:2
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2272 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:1
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3212 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3192 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3756 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=1324,i,1617765535699119357,2286140301729425809,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
33f46ecdfe50d5389953748b82b707d5

SHA1
672f99e26fca4c3f3974bc4412923d4ffe226182

SHA256
9fbc123100812c45bf64d42afb21b1a443cc9899532a20f7bffa47502b5c816f

SHA512
e398dbcf6d633de267b836b9ea7952704adbc1860f26f4fbc3fb25a33636d3f4779a11e84bca17a8e094e6c7aa26d617313c07018fa0792ecb0af3b600b418b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
726f7ed28bddae9ceba02bcd45ffde72

SHA1
8fcf12037787f71c9b2191dfabf20f2c63359010

SHA256
97f62a1594a6fb2e60616bfec967eab8040369622c1e83a47bfc16df288169c0

SHA512
deba33f13a8e5327b3f67487af883b93f40f0823992a720379a465d74dc494ca4bccb7af09053568a0c83356d259cdc927e009fb8cebfbb2b7d9630e7c07b728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser
Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
264KB

MD5
62e3a43cbd4e0475b822348b94fbb83e

SHA1
ff637d1a1a6617f686bfd340cc5d6df2fc827915

SHA256
eb98bb3c1b385f359530cb3e55b37b3b52b518f8f25271cedf7036c9cd71dfad

SHA512
543377ab71a2af02114e83d82f87e511a84985d391967422cd28111fb58ebde4f9f681f8354f0154b25bc2f30de6f683251f9c539e20831e5b9eb5ece1f40ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
70KB

MD5
ab6f3075fab3bb41c446681f496fa928

SHA1
1549725534bf757295f4015addd543a7e0d069db

SHA256
b8f1f514b2342a6c98501a58e98955c88083064ca211375291ff29bcb58b2763

SHA512
9e285983a903cfe18b0621de7cc37f68c1e25a9f5a73d7ec23b72ba02cf511677db25a4662c8e1d30a1900808e37ac5343c4b6503bab48476971818ab5d115a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2776_GLSUFGCARAKCNTBI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2372-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2372-147-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-149-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-150-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-151-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2372-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-25-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2716-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download