1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
1800s
max time network
1697s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3116-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3588-21-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3116-23-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1388-44-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3588-46-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1388-96-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3116-23-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3588-46-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1388-96-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588621128465617"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3116	dControl.exe
3116	dControl.exe
3116	dControl.exe
3116	dControl.exe
3116	dControl.exe
3116	dControl.exe
3588	dControl.exe
3588	dControl.exe
3588	dControl.exe
3588	dControl.exe
3588	dControl.exe
3588	dControl.exe
1388	dControl.exe
1388	dControl.exe
2532	chrome.exe
2532	chrome.exe
3972	chrome.exe
3972	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	dControl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	3116	dControl.exe
Token: SeIncreaseQuotaPrivilege	3116	dControl.exe
Token: 0	3116	dControl.exe
Token: SeDebugPrivilege	3588	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	3588	dControl.exe
Token: SeIncreaseQuotaPrivilege	3588	dControl.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe
Token: SeCreatePagefilePrivilege	2532	chrome.exe
Token: SeShutdownPrivilege	2532	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
1388	dControl.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe
2532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2796	2532	chrome.exe	93
PID 2532 wrote to memory of 2796	2532	chrome.exe	93
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 4656	2532	chrome.exe	94
PID 2532 wrote to memory of 5072	2532	chrome.exe	95
PID 2532 wrote to memory of 5072	2532	chrome.exe	95
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96
PID 2532 wrote to memory of 4160	2532	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95986ab58,0x7ff95986ab68,0x7ff95986ab78
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:2
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:1
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4212 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4120 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4704 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 --field-trial-handle=1924,i,11426138675784322543,882847967608099513,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
17KB

MD5
508629987c51e38aa6b6a204a61b4886

SHA1
c1d3cdb051362e2d4aac92995a34eaa14a2a3edf

SHA256
bc98c4b48b22ee1e376caa473820b17ce08a7f8695079716c2d5ecace768c515

SHA512
f5d3b3266ce7dc5b35ab3f313a845036e2ba7652ea0217ca90a05ec00b6ef7e3143eaea0c5e88c2053f53e0871e64bfa3c045f91f95dca6cc3240fc3d670964e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
33KB

MD5
43145415f5011a78f6e8d82c3502f917

SHA1
381dcd50b5c20c263b831294d11d3f6157f72ff0

SHA256
303b2a5444af8c1fac76f1a22d2681537ef6b7b2601a6f1884f0481422645bf0

SHA512
cb23fe79bbd1e79f6c44925ed949d896677958e390c56c76d85f248dc9d23b4348d5756aa1226e5568a3993a8577cc83d13ef187ba6ae5719aa549b98c63903d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3bea8d7fa0360b6de78c91919ce152c7

SHA1
395156c03c8a7241f8af0d6c0eefd15639a5c597

SHA256
bd02d977bcc092d181fa9f0a9da38930d2e47d0a944b285010a7386e3da6bf47

SHA512
b4bf5906635adbc4ec754e02d1ed549e61a3fd0ea3b564ab0063f0222e2ef2cfd2bd675d0680aef878b2e888da13bbd8aad86894039aa1d4f3cf62a383d787f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ea469496b16cbdf882632df7efb06b1

SHA1
484e621671973226a247331d223f865178ea249c

SHA256
8ddcf835415ae99f324bf2b5f247d5aa86452b5f4640528d4365ec0930bbf74a

SHA512
04975053eef9677658b90e1a166451bd19efffbd5761d9beb901a40235b1ed4f97e10e342c4329fc5cf9b111f67e33aa9937edea100f0d78b45cc6e5df46f3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9d426800c55f20f457145ff3cd7902aa

SHA1
9f0ff2554a1e40e007be278479c0c8f151d78150

SHA256
eb98693817b78f988546e3141ee15f24699ed1b4002c38c52b91f7ac900c635d

SHA512
9652651a473232b1fc3e778544bed37846bc3ef08f3848e88574486dd71cac4bdfa08fd7284f7350dc55caca1bbfffd670d7f32998abdad6036d7fe1bf5c1272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e3e392af4e2e097f7a3e30cbecd54153

SHA1
65cf6146c386211e8859f5a39fadccc26116839b

SHA256
e1c8ad008ef2f63025ba13556437c5fd8787856852c76dbc7d3a7026eba78a1e

SHA512
5145537d05f39a587000b4db9f6c1374b6e0c82a3831ba849b14d19306c0365e923b2e1aec843467d6208c6fc015a913641ebe8fff487443037a52f5cf34e947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c82ff8d62cae4d099275ce2bd48a3ab5

SHA1
125ab05a6a8c5407fc95c9f9f48f0df54c24f4b7

SHA256
3d30426bbcc0d0335d5ded98ddf2dadf9b09e810ca75d0a4bbf4453a7722d0ee

SHA512
32bd5ed4a3eeffbdc3c1b4ae33f417155d5e0de883d813dbfc89725e384dfa8cc2680641b3d336e50e3c8c38bd5a2468c6393701ab6575a523cd74f640ebf8cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
f1b66cbe608e31db3701d971fc080c24

SHA1
ef07b313e1b159699d8ae01e341c86a03ea4f38f

SHA256
e0856b74c2851068dc3fb680531c5ebc65de1c5ec38ac7e785f18e09093d65d7

SHA512
0b918436b1c083a38cbd03aab47e3bf393be74423638d67afedda56f861105129a0eaaae6178ade99c6de60c0f7656eb29ba1c83bf4c869aef38e20e947dfab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
851B

MD5
09369a7f4738d2ae661949940ca38cc8

SHA1
74e67f8fa89a51f27f7cd7d03b9b3ae915617854

SHA256
10c68b188243b5d7c31b88acd3ef86530f0cf684e13ec897b4a41daf030cb36f

SHA512
fb75f5618d26c37f5e629ec98112353ba2184a0fe9f33779c7de1a1b4acbf31191330d8e4a96997df408765554c51745ee92f24f22c1fe165dc222ad9c9bbbaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
8759cf9bb21ef3470068f9acf2f0054e

SHA1
267598f86045aff6832abd41d91bc31ea8c40f8d

SHA256
53ba9d10f74fe428aea3ffbfc1c478f200bf0fe62013e12b71b22ada295e061e

SHA512
cf836d41caad6307af59c2a84c827e3f506604a021d99cd5d2924e8a34e7a26ac1cac619811da885b06e3c223e1a6af8fdadfb7718a9a381846857dc23c3d019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
10282b6bcee300af6889c4ac0d815f09

SHA1
ba3bc3591839bc18051dbe7271b64b2099a9cf72

SHA256
ce2d4aac3f629651a061dcdadf56474bf247efd3bebe54e87a30bc60c30c8503

SHA512
5c38f80d40913e1418a8dfa0426751efffc2001b5a49a1fb20622551cb1c60208a97b167ebaa94b64239b0d39c086d7e56aa5a3b20006b5a1e679f91c7b5baa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3a71cee83cf65d3268eae8f883a23cd1

SHA1
000a74f39b6413b0e2bbbad856fc1bc41775fd5a

SHA256
d051e50402e78bf07f9e8727d3149ee35958baf4243111baa69c5c3f9c6977de

SHA512
c428b4ec33a9e4d74dcdc1ecc0fa138e53b8655dcee58f509a21ddea9a418b8e3a03497001d3cb86263bd4e5bf9f84abaf52aee20bc1fd418e895738f2a8e96d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2f180896e24c98d364a6ed6455dab902

SHA1
e2371a0789b7c2bd6773f57120b46d6b5a38f53e

SHA256
15ab75c854d2cf26903388936579b794a24415af20654f1605fc59461030b2bf

SHA512
73cd3f488895f690e523f8a9f6c04b5c05f5649b87acbbd071a477b574d8f07dd5f9bd75ec7dbfdf16ed9672bcd5d37739fc5d0601d2783d40890b0ddf706760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a06c2d7bb34afbf5d4910a4b30daa91e

SHA1
cabf6a95aaf14ed6828fd761371ab43b95912e78

SHA256
e8df11086c2cb3b0d478847162f0a4a587941cbeb17ea587836fbaffb2f1adeb

SHA512
e928fca6c8260693a88a9de4b414074e044421ca140e3a3f3aae051e30b956635fe91cee649bf8e0ca724a61a787cdae8f2609d15b3a8e93c16e6b4bb543ea6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f394cc02-a7b4-42c5-91ff-656cd2dcde25.tmp

Filesize
7KB

MD5
ab242c0c67bee509162477791ef14fee

SHA1
ce63ab0b2db13cc3bd3f7c68cdc646b24651dc06

SHA256
dd54c58a348e28194f715fb52e5550ef53005a447fda61ac900752e9fdd4d67d

SHA512
e4b2a2cbaf37b82ee91c9a71bb6c04e3b81ae73edc3a76d99900054205e25731646a860320e7953416ca23fb09e9e98448c5115221283021bec9ca12ae8930fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
464528ea26c963fe65364fcc2f45d967

SHA1
c978c147b6409e6626ad49992f16db6f290dac2b

SHA256
4d5457123000fecf8e2f0cf02ba9e5132399da66e407282ec0581773d8865aec

SHA512
740a10ce8bf77963144bf8b7d0d0ca17667d9343d8e03eb434b7eed1116ef8415b69048d524be28e50bf6c04c700d534380c02da6c76ff732c13579a62736301

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
e8daba2baefca9315b4f4d7859c00410

SHA1
3002d9d7c7475bcf5e65218dbff86543ca274a22

SHA256
5c4ca29eb0c70b9e24d24535e28a5dbf5bf08d39c03a66a189d5fec7bede9cf9

SHA512
5d80b2a17ce21e5fc32f91bc596761fa0403192c8c3f9f35a1494f0236ae482f4ca707d8fe4e65a96458756b36592ab3d715686b4b2f6f22d5a4ee768efa124a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595b16.TMP

Filesize
88KB

MD5
40b17a8d653be2a442e1dcf1dc5c93d6

SHA1
b9d92cfc3fa12d433be4cbb79c22eab539461ea0

SHA256
3b8e0d8ed84199bb783faf091c6cee375b7fe080d1766b6e1e546c49d8f8aab5

SHA512
545b3eb45a3d2b5906b655536848cee9b391a753e38f95c55b31ccfce35b626507850f2291cdb56e7a68d3df1a4cdaf7cb0c89f27992c88a41152130aad2e231

Download Submit
C:\Users\Admin\AppData\Local\Temp\3g1n1f6c.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
064c21f2aeb88f545d0c309644fc0f45

SHA1
c3f0b9ed6015f0a45d282c2d9207a353f54e5b09

SHA256
35a089d09739e4dc59443e036b61090bf9ee9a21f6181442142bf8a3adb6e9b8

SHA512
4edf1088cdfb6e7641daecbb8fdc75ea90003eb68762c472a53585c5828145a425dde8467716d415757479b5e4fd0610c2899bf30d16f6472da8b2d9f87e5265

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\Temp\aut3A4A.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut3A4B.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut3A4C.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/1388-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1388-96-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3116-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3116-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3588-46-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3588-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download