darkgate | hxxps://brodretjhayiuemci[.]com/

Analysis

max time kernel
393s
max time network
372s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://brodretjhayiuemci.com/

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

backupssupport.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
rNDPYLnH
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/4500-538-0x0000000004AE0000-0x0000000004B55000-memory.dmp	family_darkgate_v6
behavioral1/memory/4500-540-0x0000000004AE0000-0x0000000004B55000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 2 IoCs

flow	pid	Process
152	3232	wscript.exe
153	3232	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4500	Autohotkey.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3724	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autohotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autohotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577965948225704"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
4316	chrome.exe
4316	chrome.exe
4500	Autohotkey.exe
4500	Autohotkey.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
1508	7zG.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4004	3592	chrome.exe	82
PID 3592 wrote to memory of 4004	3592	chrome.exe	82
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 1252	3592	chrome.exe	85
PID 3592 wrote to memory of 2292	3592	chrome.exe	86
PID 3592 wrote to memory of 2292	3592	chrome.exe	86
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87
PID 3592 wrote to memory of 1920	3592	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://brodretjhayiuemci.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba2d0ab58,0x7ffba2d0ab68,0x7ffba2d0ab78
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:2
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4980 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4924 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3904 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5236 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5072 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3980 --field-trial-handle=1924,i,11825942279158309662,9052668663791077478,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2152

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\16-April-24-ACH-ee047520.jar"
1⤵
PID:3348
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3724
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\downloads\index.wsf
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  PID:3232
- - C:\C2d0\Autohotkey.exe
    "C:\C2d0\Autohotkey.exe" "c:\C2d0\script.ahk"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4500

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap23758:110:7zEvent7492 -ad -saa -- "C:\Users\Admin\Downloads\16-April-24-ACH-ee047520"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\C2d0\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\C2d0\file.zip

Filesize
777KB

MD5
60817831fc3ea259d45c9a537172f080

SHA1
bc6be7d44565b13e1008a3b962abc9bc6ee44217

SHA256
75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c

SHA512
02fc5b1202897e0d1d99ff636ab43b9d4bb6335f1fc538bd63d361b4025584f8196504f4366668dc919c1c8cb52eea3742fdf8746748dae00bef4af0c606ebdd

Download Submit
C:\C2d0\test.txt

Filesize
930KB

MD5
09d0df57b9e2d00852322828d9791bec

SHA1
9c31734e88aaa19934cfd490a088d1d255103db7

SHA256
51163c6eb169dfe30ebdbdc3193c25ecb264b7bd6e2e250be9824563f383464f

SHA512
11479b5c09a3bb0b0216908895b7f6c6f6f640fc493b7463402ce796c3cd54bfca8443e8889f5a4f352d830074c08c6e75035618ee17db4f144023b853709ba6

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3c6195bb3354308634c6f0761cbae606

SHA1
85de83a3d6360f4d8088aa44093f471719071ccb

SHA256
9a49bf1b109efaba1a70f3b51cc0b8cf8a6fd632571d76829986dd3418dd2b1d

SHA512
093a24db50ebf8eb108b9ff01cc0a5f25516b4e5be3892d0c8a7bbb26adc3ad1e2f7a8811da3e216e6d149542227b19b888870ea31267b15c972767667a303ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\000b3646-8f97-4722-97e6-1f9bb96b44bb.tmp

Filesize
8KB

MD5
d58ee6949fd05ae521de9c35adada885

SHA1
bea1a1ae72cf3f8507596221f9ba206bca6528cd

SHA256
2dc230ca2a6648791ad7e4dee0e360a4d92a8d54cc9f9df4d4fca19043f9636b

SHA512
5bc490d53e4884b08ea40d2b7600871b4b3922f9bb7f9cda81bdf0dad66238526c3b70b8c584015f61db6ae47ff491555e40f832b653f2dbc84f674ee99daff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
201KB

MD5
f5bc40498b73af1cc23f51ea60130601

SHA1
44de2c184cf4e0a2b9106756fc860df9ed584666

SHA256
c11b6273f0c5f039dfef3bf5d8efe45a2ecf65966e89eeb1a6c2277d712ae9fb

SHA512
9c993ef3ec746cbe937bbe32735410257f94ceb6f734d75e401fb78dc2e3ab3b7d83c086086f0e1230dc8dafd5328f9af664341eb781c72e67c4d84d1f6c1112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8789e61ce7465cca315618657f3c3118

SHA1
af669c54bc2ceb9a5c72d3c28bcb4d458f8f5be5

SHA256
4e007646195c7ca7a1156e6cff51c846d5130f368f1db86d1ec809bfebe4f75b

SHA512
0a22c44d22ca4c27fc8b41c75efb318969d97b9db919636896973e0b54884bf7ebd95a01d80d564d19f0f4ec43caf3902545a6c2cdb1f69f0973b2ad4139abc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0bdc75196f65012000f675930d3d5468

SHA1
57c3fef4057c13f3d79b1a3a8e44ff5f67087ddf

SHA256
5761a4965acd9d750ac00f1e412e87f939428bdc47e01246f979a914b7d927f1

SHA512
13c259a4edda334f5c80f3170979ffb61e788930d07a49bff7686edf4cfb243b39d5c0f2079cadbaed78ce2a35e1d58babbebbaedf7514de5060d82de053c1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f544f37488cefdfa59dc5cfadf7050c2

SHA1
bde3fc11bc318f3b31906efb5b0b1813127dd83f

SHA256
6e13245811915a9b87513b6561628f86b0ea8f32b6527ccfa05304ca90df8fc6

SHA512
8198c55ed984681e25a9b8a81b71c9341e12ab95b2f06f61ac3b58353649b2415447c1279ded3dcc5986d77f83679b71b7f4764d1d9c84a34eec1636636a824a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
ed11c98b8fdb98c57944521d348eff7a

SHA1
c93d3e0feefec51987b71bff3ef967f268ea8dd7

SHA256
7786c3001fc461f5542dd116a0c484a730cfcc7cee8819f9b52f57ae7b9541b8

SHA512
a8c297fcd9745d015c705a6d334bf09700cb6ef1c4ba3e66e29dcdf44629a9aa473e744aa033a9019bf01e23b2cd92d1cd1024a170c396617f9d445443be8c04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d43ffd15dd8464f9d0f792bf9ce2a31

SHA1
c6f2912479167d7d479b7f92be5ce1f6b664d0b3

SHA256
b158a25a7d8b8714a795cc0172cc60933d444a771f6ffc022f93fa2f8c200f6c

SHA512
7080c25f29d6e965b604bf6e97ab6bfec9b2cbccb2ef48a3921152f9db300f45ca88569e013ab2955977b7651854b96ece61598331da142209ed0bedfae73a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c6b2a27603baca627e6954da25193312

SHA1
d34542fd8bb26bd4a2839df54aeedf846e226672

SHA256
9450c5ab10b9f5c7cda1edc53ad71b653036498277a9eddfc232b5d2b49335f9

SHA512
60030eb43e719ac77134037f120b338a17369f86a3934c7a823dbc184c941232a1b6995ed536c504008f7053d6959a25f9e923b300e1761bb1df78d48bad14c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f33c5d98c31ddd087a25edbe72bff127

SHA1
86ac5dc8a9d5c0ac64b4aeba5fd6b97770915464

SHA256
29ae3926237e4abb2c7a1c76fb7053e634a99d227a60a3ca3760632371bde0d9

SHA512
a704409c5dbafc892562d61ae71f3c24b76988c01079c0c77fbe72d452c92acf3d72d603f90ebdffda49f7612a1a3c452275ed431f9c91f77de644150d1a623f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a8199e3fc111f078b34d8345097e025

SHA1
1e01123e72685cab47ca8225c0dea982788b1173

SHA256
40c9078c5634979ba8eee98ad9c7dd7d8a9d82de1741032281d2e8fe3847ea0f

SHA512
c2cd71c15f0404fc3f72d7b75b226a7dedd8e0e78c2f8d9cd6389def363cb6abd965b5c39802f7c4bcc45633478f0e9dde95f65b3b232eaed62234ea4210e15e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
749a5399785cbfffaeee1345ec97baad

SHA1
4722a83dccbbee898eaddf0da455515325430fc2

SHA256
9880ece7e0133f57370dbabf60216a36e9f825614b4b6e674d7a4208dd1d3691

SHA512
299743eafcd26dae7b15e13177b7a7ffea18c4df54a5192f06a2b775dcc036504180d5020dff24d3ff286acf5ade4c1391b6e574c89adf11da2859ad1d9a4aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
22ee0ee11266877c47672bba44e1d117

SHA1
f6e418c4776c7b6bb48f2bd808b9cec431acc05c

SHA256
fb378c5eba454c14109a6b7f932e4fdbde413cd8ae44a7c45f17fa2b7e9b218f

SHA512
20e739ba8f11c62241b2e613c32ac922de8f466070c9cf204a7588a52ae36ed73c104904a8f6ffcc433bab2c87bcd7cb261d0aa1160f920c9866a6b263d8bb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cc6e58d66c410853997a379c0c1e639b

SHA1
e471a90411157a531ecdbb9807805b930db69429

SHA256
b6aba169364b1b1d0e76648e6dc7bc11d981adf73f427f68dcf5128c206d4c4a

SHA512
f67c11e53a555992ebed2ab244e8ac982c696277ac2c60f2bc75227542933a264eaf39914dbc46fd190304058c2bccf2239b20284e534bee194dd1b8bef9a62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe590c99.TMP

Filesize
48B

MD5
fcd1ed895e7bb186342a75306e2de9d1

SHA1
7c75a10b19957e9fa43e6ee9e061b8bbf3165be6

SHA256
08486c6595b5d5b8e34449f078f3b2a6156bdd3b4c96dc9db4a2089ede2a8088

SHA512
791aa1d3b2d6bdc1636ec4d2f8490556df5992ab7cb2e393f25e34c60cce51f520663e23bb3c3c8252981e7f318bb764ace4aeca377ffd1877614cfc7a30182b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
ded5dd136b6d592138e6ae60aa0e0c70

SHA1
e4c2a9c5285687d6f9adcf62a9d1f8c6a1843cbd

SHA256
21634813ce934b10424a89861dd3d086ad175c51e17b1faf7e9288337f223209

SHA512
3be38dc2492e5042de2660b1754e93d284b8b3c46e978ee0df79ff948723fb5f9f493fa353caba82a81b5e3e0ed2114d9b3cc5afb9b3cb532b9b963c1c6a1ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
b29fe2d24d2234c8d5c607b3de1d5f19

SHA1
e0413fb298e7956fbc51bc58479747b3958ee9d0

SHA256
ee61c1423aeaba3e6d51af7d10ebe4e03c6a54c937d1f4fb14c29c9bdf72a53a

SHA512
f5e467bcf13ba396a7b27920afa9044651ece1c01ce41934d59fc4404fe3f7671d28f989fb67104eba83268d0c7bb5a356c95d31dbbd75b5a12936daf793950f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
f8cda99ae8a65139489973add5e346d0

SHA1
506ba5a14f029a29bd70e8c689d89cc314061177

SHA256
b20ca67b32d1e034b5aa452b7725ba708c44feb21079305271d552d999a1ab59

SHA512
c112cabaffe8e9ee0ceeb977113ce0eb5949c264d3c2061c4b949554a82f4387eba6c68dd46098a40b2ff25e97a97292620eeae1199eee53e762e21553a2082b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
f12a26f61a45da370e83f68da4f7f7d0

SHA1
f9dccf745dd6d51e8eb3553d33fbe203f46647cc

SHA256
abf6c513080dbf2115a23f751c89725c1a6d53df18a15161998aa1da3fe7ba6a

SHA512
4650b37609c8ab5c7f4a208ddce08324d84937f0f495cea8ce72879e0b08dbeaae66f9558b0f2c382527db64bd70ca50bfcf06c06e7759b5275573ffe2b8f21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
0ced8b59023f8ced1fdae5803c7e02be

SHA1
1ee026fbb32f2cd5f9511466ba9c9a206d6f0e1a

SHA256
d4593eec96418d351294f71e1b29a15f1b2f0065617442dafb05ad9be177d84b

SHA512
e18bb5add88843fe97eb1d74f5234e8a06b923b29b1cefc47c6cdc98635e89353a58a7ecaae233a7ae4fa1a1fd2dfaa780ed626d98d2ce79b08fbac663343a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587683.TMP

Filesize
94KB

MD5
1dd9246da70b0d2b4318379b59148a35

SHA1
f89ecc50ceeaf50b86441d7d30374a55ec57456f

SHA256
de05d6a9c003d38f92aa40a64345685a774dbfd11f493013fe133c79acc9da1e

SHA512
620705de5926325d31a15312b80b117f69801dbe50aae06a9f41a23a682ec8a66ad997a549cbebb745be3424d3fc18c5027d17f9712d398feace93d0bd8d44b6

Download Submit
C:\Users\Admin\Downloads\16-April-24-ACH-ee047520.jar

Filesize
28KB

MD5
b504eb2fb8e625e6967e4bccad1088e8

SHA1
9ca5a29c1f66de5367c30854adb9ed173d7a3fed

SHA256
56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b

SHA512
c1ec4d9659f1ebc8f7fec8f85f527262856ae5eca5a9e35514b7f16ece703e19e3cdf8fae3830732fe2bfb3fef56fabc6f36487170220af3b96df7c662d64e5e

Download Submit
C:\downloads\index.wsf

Filesize
243KB

MD5
60e923dc50030bf27a8aa27c0eeff59c

SHA1
047262b4503b784dfe7d13b4bc990ebefa9056a0

SHA256
a5e655ef647c441240212e9544ffde5583a81546775a4388e64f5952308ab58a

SHA512
542895a3a0e20e8cf3488189323bccb4fdc2d5af108811335baaae2ab384edcc92ecab63d3ee6378529371346ec2fcc7206019fa37df17ddf923507945816795

Download Submit
\??\c:\C2d0\script.ahk

Filesize
441B

MD5
334f3fd6c9fe35fa7d5e7d2780d636ee

SHA1
127f6bc9b9a42bf7036c3f39d66c87d32cddeaa2

SHA256
1c4d704dcf8a341a8a6129743b1eb84681d53c4459cdb62fe2954e41adfed961

SHA512
03389f83f96d6641e60003b6787a2f2726fc0affb6de9b9f92512fc79c49ca1c8d5448e3111f696ca1aa1c2b7268017f819e56292e8a3ed7d2d5f9224efb8e22

Download Submit
memory/3348-463-0x000002DA068D0000-0x000002DA078D0000-memory.dmp

Filesize
16.0MB

Download
memory/3348-465-0x000002DA068B0000-0x000002DA068B1000-memory.dmp

Filesize
4KB

Download
memory/3348-456-0x000002DA068D0000-0x000002DA078D0000-memory.dmp

Filesize
16.0MB

Download
memory/3348-446-0x000002DA068D0000-0x000002DA078D0000-memory.dmp

Filesize
16.0MB

Download
memory/3348-435-0x000002DA068D0000-0x000002DA078D0000-memory.dmp

Filesize
16.0MB

Download
memory/3348-427-0x000002DA068B0000-0x000002DA068B1000-memory.dmp

Filesize
4KB

Download
memory/3348-419-0x000002DA068D0000-0x000002DA078D0000-memory.dmp

Filesize
16.0MB

Download
memory/4500-538-0x0000000004AE0000-0x0000000004B55000-memory.dmp

Filesize
468KB

Download
memory/4500-540-0x0000000004AE0000-0x0000000004B55000-memory.dmp

Filesize
468KB

Download