darkcomet | e65037238450eabc137cd356dcc62b16db53db61531154e64ca00acfd00e0213

Analysis

max time kernel
84s
max time network
203s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yooo.exe
Size

658KB
MD5

677d14c29be05629a77415b842492b76
SHA1

6b491eca627cb457414262cc9d417fab81b4db67
SHA256

e65037238450eabc137cd356dcc62b16db53db61531154e64ca00acfd00e0213
SHA512

de64f10a8c41488d3c88bd5edeaf530954a762a0ee1b49873b82a45604a7e7eb91c18569f8dec23e1129f9b52a312b9992508d948e60ee85dc71f2d498285f3f
SSDEEP

12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h3:+Z1xuVVjfFoynPaVBUR8f+kN10EB5

Score

10^/10

darkcomet guest16_min discovery persistence phishing rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

10.211.55.25:1604

Mutex

DCMIN_MUTEX-410US0Y

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
41iAjvfv0Zir
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

yooo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	yooo.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

2880 IMDCSC.exe
Loads dropped DLL 2 IoCs

Processes:

yooo.exe

pid process

1520 yooo.exe
1520 yooo.exe

pid	process
2880	IMDCSC.exe

pid	process
1520	yooo.exe
1520	yooo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yooo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	yooo.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

yooo.exeIMDCSC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yooo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2144 chrome.exe
2144 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

yooo.exeIMDCSC.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1520	yooo.exe
Token: SeSecurityPrivilege	1520	yooo.exe
Token: SeTakeOwnershipPrivilege	1520	yooo.exe
Token: SeLoadDriverPrivilege	1520	yooo.exe
Token: SeSystemProfilePrivilege	1520	yooo.exe
Token: SeSystemtimePrivilege	1520	yooo.exe
Token: SeProfSingleProcessPrivilege	1520	yooo.exe
Token: SeIncBasePriorityPrivilege	1520	yooo.exe
Token: SeCreatePagefilePrivilege	1520	yooo.exe
Token: SeBackupPrivilege	1520	yooo.exe
Token: SeRestorePrivilege	1520	yooo.exe
Token: SeShutdownPrivilege	1520	yooo.exe
Token: SeDebugPrivilege	1520	yooo.exe
Token: SeSystemEnvironmentPrivilege	1520	yooo.exe
Token: SeChangeNotifyPrivilege	1520	yooo.exe
Token: SeRemoteShutdownPrivilege	1520	yooo.exe
Token: SeUndockPrivilege	1520	yooo.exe
Token: SeManageVolumePrivilege	1520	yooo.exe
Token: SeImpersonatePrivilege	1520	yooo.exe
Token: SeCreateGlobalPrivilege	1520	yooo.exe
Token: 33	1520	yooo.exe
Token: 34	1520	yooo.exe
Token: 35	1520	yooo.exe
Token: SeIncreaseQuotaPrivilege	2880	IMDCSC.exe
Token: SeSecurityPrivilege	2880	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2880	IMDCSC.exe
Token: SeLoadDriverPrivilege	2880	IMDCSC.exe
Token: SeSystemProfilePrivilege	2880	IMDCSC.exe
Token: SeSystemtimePrivilege	2880	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2880	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2880	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2880	IMDCSC.exe
Token: SeBackupPrivilege	2880	IMDCSC.exe
Token: SeRestorePrivilege	2880	IMDCSC.exe
Token: SeShutdownPrivilege	2880	IMDCSC.exe
Token: SeDebugPrivilege	2880	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2880	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2880	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2880	IMDCSC.exe
Token: SeUndockPrivilege	2880	IMDCSC.exe
Token: SeManageVolumePrivilege	2880	IMDCSC.exe
Token: SeImpersonatePrivilege	2880	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2880	IMDCSC.exe
Token: 33	2880	IMDCSC.exe
Token: 34	2880	IMDCSC.exe
Token: 35	2880	IMDCSC.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe
Token: SeShutdownPrivilege	2144	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe
2144	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

2880 IMDCSC.exe

pid	process
2880	IMDCSC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

yooo.exechrome.exe

description	pid	process	target process
PID 1520 wrote to memory of 2880	1520	yooo.exe	IMDCSC.exe
PID 1520 wrote to memory of 2880	1520	yooo.exe	IMDCSC.exe
PID 1520 wrote to memory of 2880	1520	yooo.exe	IMDCSC.exe
PID 1520 wrote to memory of 2880	1520	yooo.exe	IMDCSC.exe
PID 2144 wrote to memory of 2952	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 2952	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 2952	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1428	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 2028	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 2028	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 2028	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe
PID 2144 wrote to memory of 1420	2144	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\yooo.exe
"C:\Users\Admin\AppData\Local\Temp\yooo.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
  "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7af9758,0x7fef7af9768,0x7fef7af9778
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:2
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1396 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1488 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2248 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:2
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1956 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3656 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2332 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2472 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=744 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2252 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1660 --field-trial-handle=1800,i,10329506755799485412,6233983179356613564,131072 /prefetch:1
  2⤵
  PID:1072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
52KB

MD5
6eee314dffa0f26c0a096511c95cd491

SHA1
2714d49a08f52b45caf4aa6d4fcccd2e322d9628

SHA256
9b7b69c3d2eac002e21642d863f3027367d34d196236a96dea89671bbb091f8a

SHA512
1faf7119b440a062750f4b448648f0054757979095a3e3cec9ae111a15f5888f5f10f4af2418239346cd6d83f16fcccd48575cb10a4b1dd626a66c256242b63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
143KB

MD5
f1895c2a2d9c43bdfc2e426d7895cd4f

SHA1
ee5acc6f3a05f7238c9bbeee43c65d072ecf620a

SHA256
1738346a86ed108c087bf1704b44128f9d363ac49ed26d90f499a98c081d9873

SHA512
9ec167775a48baaad81e241ebab8ee4120e45e5128c3070c34d89d487152adda080af4951c03ea133d690af995b5c1bbdf16e4cd1ac9d6f3b7a69dedaf12d414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
98KB

MD5
a57832ed48685110ee971d8f14b635b6

SHA1
8ac64d5bc09198ab7dd59c6f47f6579f01974d97

SHA256
76078aa6bf0f6ccb3fc6ecbd492ba16286fe1be11bb11e91ab61147c8851a7de

SHA512
8ddb567f21253505496722ad603207cfda5d191ff251651d9e71a21924f247ba908acd9fb3a983c3567696dc9306db7e5694cf1c0355b36043ab66904bc7453a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
20KB

MD5
cf0a72b0777b553d5a1b26b49c978a79

SHA1
dac1fafc4e2ea7c4f8d3e194fed653729c68c986

SHA256
5c11333f71b4e6c62f9c9b3b8c7efa7b65b140ee510fc4aa2e22c0bed1222cf6

SHA512
43e8963b0a98c44efdfb50702601f6c79c79da9e065e1a6dbed969ed70af4caffce08ca1afaed6bbb0ee9a9b3afffeea09e84aaec5f68966cd66b86936811142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
20KB

MD5
e688553c6fbe0a656a84407dd3cf282b

SHA1
18853957b35a70d61285d19d6495cb1c06e68c6f

SHA256
d66c3d59dedd75e0c6407b736716303e2a19c717c912ceb4506ef580c925bf83

SHA512
dce4ad3e23a9bfab17b844ad45a5a49a1ad1ad5bccbf79444b59dbbc54a608bfda82b35fd36a166fefa032d9cf4782fa9307e1189e30933b320acc83b45a5c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0d38f33e0b614b00_0

Filesize
302B

MD5
b22b88d2fa95578e3747c12f11cd793d

SHA1
94db5b581b2266c993cbaf12742cd2ccf5f7f905

SHA256
c07239845974e2d6074a129874eee7e5940f8df2d3ddf38d88c8221f8ffc5b20

SHA512
61efde88a53602641f9e803ed8a03395d75f1fc4265500263fe07313ba77b366106e89502b8db8c5f3e726e03f2abf7f967052fc63e2592d00e527d4af41095d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0f733a50e7697e06_0

Filesize
303B

MD5
1d156a296b85a0b506cdd77330420751

SHA1
890558f8dad4356737dce3e67133d15c8f4999cd

SHA256
920deb439e18d8a04d54dd3a23de0343276ac9b1809d575baec8d884db9d17cb

SHA512
912662d8c475ee6e6f07ecff9b78ea93e2112cdb4579f13d8bc90e2c95c0f307ad811c912834ac79a3938910a55789823dbca9d7e379e8f1860c73801d379b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\283d8db855abf9b5_0

Filesize
54KB

MD5
b9aa5c25ededf02f930d9c251f6a8831

SHA1
73d8405908cb58d7b7adf3208c3b1fadeaf49f23

SHA256
bc4dd58d1ef1e470a646b9b01a3e6a69d28296f61b6d729fbcb3be5851ff310c

SHA512
e665e7d5304d2186d81f72e80549275250e07e0d57e9129f4ea9a4b770b52c034acbb6a93e082e2bfce96c9f612eacd5ff0a574f5a7abbf4d159c0a0c7cec380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\31c340a71706de0d_0

Filesize
3KB

MD5
cd0057a5181e2ed842ea2e54c3a76b03

SHA1
3b54ff7d2b4aa02f479f3a88497a3567dd4eb656

SHA256
83ac37be01c0abd42b639287db23decf8ac2a69bfae083595e3074f0958f9204

SHA512
ae9fe23f9491ee270c89312d3bd4888e3adc9a8493262672585374d465e7ba4c35fd79fea4e567e832cad84dfdfd22d809edb59af282b4dea9f3c1cd61f18899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\61333bd04e8ee292_0

Filesize
328B

MD5
d47852ce40d82963b603423c840ec08a

SHA1
2fdf8eb9e4d50b0a3b3de4179fc7cec04a6a9ad5

SHA256
b758a43f827ffbc3a83a3e4a2d18ef1c95dc73c55149ca8facbf0d2787fa6596

SHA512
4fc78cd509e8190927ffc3cfe51bd4747c6f613e69e59efd7e4bc40012bf216db26039cf572c479862bdd20ae343c2a3dafe01dee02f50d102106f7676328b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bab66c6ede2db8dc_0

Filesize
3KB

MD5
85ae2d7349a2fa9ccd228e12ac1bc6f3

SHA1
af4893e27095b05ad8304c52509431c0f504de7a

SHA256
2b9cff204b2b8b7e3a2da89b36111706a4650b786312d3acfc3902a9c12691b5

SHA512
279ef2e594bb6753a8410e01d8a040f907db041a26d8d07ed41fc381bd75836e17f5a5238d4c06e05826edda4fbb5610d52cf27ce2aa47bfa9e4b07b2cf9771b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\be5accf36d426aad_0

Filesize
55KB

MD5
021fa572d78e7d66357db3fb3b1cb1ce

SHA1
7ffbd52fda8d40b17e092fd6de3f1b065da93cb7

SHA256
e33371522ce86711d2dffbbe6a88bdc572ee7d92f386702f33c12f22d094b9bb

SHA512
b37891aa130cedff41fc89ee42f86d428338530425f02a04c26e8ecd01692881c58ec2f82bb8fa09aebcfb549dec64148b20e65cb02ca2966557af3711696925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f2335bd3ea6017ef_0

Filesize
32KB

MD5
7c07e74cffa3be227169ae5997d65bf5

SHA1
e0c26928ae3c99f2a3320afb3ceb1ff8e51d558e

SHA256
866b0562d6042ef897028db7024331fa6e091062ea55fee430efcf709be7460f

SHA512
dc08ada24a974bf6e29e6995d5d0ce022ea9cb3ec495faf9b555fcf16d1aec88be6d63d770f81010e387e06c1d3c5a58edaa4639768741bdf057003f2249f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
50b5df45bdf67b637c27c60316fd44fc

SHA1
883c5e86fff3fbed6777b6dc9ee27e594733b022

SHA256
9356cd132b6a5aab525e9893131ecb74244a96bd7c08858eea9bc2ec04305fa5

SHA512
e17664fac52942ff4b35c16c462081b06557b59d7878779fde3b20472891058da6ae9321f96274c548b0a74ca0ff7bfce10003960b62543a35541bdf62f8efc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6cb719121e9aa1d61e5ca3b5cd2dc3d1

SHA1
b08de991d3e4203088a48b3bed9dee77897528bb

SHA256
30b2fad62d842c5bb8dfb66f0181ce484095d77f8efa1eabab48698d7fd583ba

SHA512
09dc96f70eb87c4d6f63ad7ad9f3894986d65a15a376e8a9bc0fe3a09fc59e2f32b3dcae3a5e34db2bbd5f2b72e526b937d972083e1a84da48946e886a471128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
28782f47e732131ecaa03186986af464

SHA1
e8ea4c6d6479079732ab7e5223a688f152efbccc

SHA256
e69a40fff9b0b2d25c71226d9a3c24bb9dc66138bac66a73fc38a8e9868d3dbb

SHA512
c4fd953eb4e235e637d988563bf279b6db33e679910f8ab4e87ebd99194f837dd6fa9498570e163f8dbdd26859108a5531a8d5b907aa7b417f08e7f8961ec30a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6ac1311f408356bc650ccfd6c96edf18

SHA1
4beadccfcb3b85639e9548ac057b448462ff2012

SHA256
8cdf5852c065b974cbe7ed5795dd93fd8c52f8af613101ca8aa07e2ff84cea73

SHA512
c8d84b138f608c716ea96a9454048948723b3eb5f07bffb69b01b6a5c3adec0773ed39cd471ce9d6a6e11c7488867ce173cb824ace5f6da1877f02929d4bd0ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f18c0ba1-72c3-4376-9055-4e354d2e13ef.tmp

Filesize
6KB

MD5
9f1da25149da46b170a9ed7996dd7788

SHA1
b959723b4d29f4562cde8cad10d0c0c7503bdf3f

SHA256
8ce843cc2f6866acca8197c6ff72cb0903a92dccfba14c157519eed23880534f

SHA512
9f99d619a20dfbf93e0903c51246108f50cbf1e703f369223add68756c46112311c4bf1cf1b007d0c6626c6ca0c5afd8ff422b88ee4af15bc9fb052c1460e3b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
338KB

MD5
e2351806d5a4bfb0465f82ec9e48f578

SHA1
085a249efc4118cb06a8e1d01a9bb90421fe8081

SHA256
1afd5435794d604412a15d51726b167eaf503122a7363818ce40bfb12131a023

SHA512
b4652d8baf2ac98bcf4b7c3ed5f08b474627ba318da8f3f664d40b72bf2f795f51e591091ce20e3c39896118291d65e8d26323cf767b51eb14f89ca434b72c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c6daa68f-2c95-485c-956a-6592143a389b.tmp

Filesize
338KB

MD5
276a83a2f2ea8362958b2edf7871ea98

SHA1
ae2a85704f07c835c3b5a6d5567cebde7c3bc034

SHA256
1aed4edcc13f5727a9870c9be253c25b837d903398679dfead0318bc99bb5f2e

SHA512
f20802f2f25f591f1f9aa81a81a668ab958d020ecf6b86bd03faf20310e0686aa812c48344c5e9f4bf5ee0a443132ef86dbdbfc276ada36192fab37bf0c9db5c

Download Submit
\??\pipe\crashpad_2144_ICHDUVFFIIIDQGGI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
658KB

MD5
677d14c29be05629a77415b842492b76

SHA1
6b491eca627cb457414262cc9d417fab81b4db67

SHA256
e65037238450eabc137cd356dcc62b16db53db61531154e64ca00acfd00e0213

SHA512
de64f10a8c41488d3c88bd5edeaf530954a762a0ee1b49873b82a45604a7e7eb91c18569f8dec23e1129f9b52a312b9992508d948e60ee85dc71f2d498285f3f

Download Submit
memory/1520-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1520-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-277-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-248-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-385-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2880-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2880-533-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2880-534-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download