1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
6s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2576-23-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1848-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2576-45-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-170-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-201-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-225-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-423-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-502-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-512-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-519-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-520-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-532-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-534-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-535-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-536-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-608-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-660-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2836-661-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1848-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2576-45-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-170-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-201-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-225-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-423-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-502-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-512-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-519-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-520-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-532-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-534-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-535-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-536-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-608-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-660-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2836-661-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1848	dControl.exe
1848	dControl.exe
1848	dControl.exe
2576	dControl.exe
2576	dControl.exe
2576	dControl.exe
2836	dControl.exe
2672	chrome.exe
2672	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	dControl.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1848	dControl.exe
Token: SeIncreaseQuotaPrivilege	1848	dControl.exe
Token: 0	1848	dControl.exe
Token: SeDebugPrivilege	2576	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2576	dControl.exe
Token: SeIncreaseQuotaPrivilege	2576	dControl.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe
Token: SeShutdownPrivilege	2672	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2836	dControl.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2836	dControl.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe
2836	dControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1800	2672	chrome.exe	34
PID 2672 wrote to memory of 1800	2672	chrome.exe	34
PID 2672 wrote to memory of 1800	2672	chrome.exe	34
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 2040	2672	chrome.exe	36
PID 2672 wrote to memory of 1220	2672	chrome.exe	37
PID 2672 wrote to memory of 1220	2672	chrome.exe	37
PID 2672 wrote to memory of 1220	2672	chrome.exe	37
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38
PID 2672 wrote to memory of 2020	2672	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2836

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240504224418.log C:\Windows\Logs\CBS\CbsPersist_20240504224418.cab
1⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6129758,0x7fef6129768,0x7fef6129778
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1624 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:2
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1424 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3132 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3680 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2072 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2804 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4004 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3772 --field-trial-handle=1328,i,18107016028770308782,15595718421736506136,131072 /prefetch:1
  2⤵
  PID:2944

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
840f7df90d317058fae9ae6ac3a0cfd6

SHA1
91a2c3764e1e2adb8e75d1a32186adece18b9c90

SHA256
adc96fcb1f6aaa3ece063382ee90609553a03775e1d5208b31d2b23e4eb09443

SHA512
5678ca5ddbd53ee50ad2c436a45f081f7d265349050d09f10a8a9b4d7836d7531446bd6bc1bc47ae5b12d5d3f9018e66a2c754f2d6f686db17881e3244c80a3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8626b3803236fc8e0b8309b6eb574c8

SHA1
d592e11b54c7bec59f6252e73b9e6b49df44c2a1

SHA256
6a7fdd6dd1d07763f408abfe9e9ef6decb58bbae92d6e25539102e09dd9cf872

SHA512
aedab7d954e1d8db7c1b668703e3a7c4ec7692834842a54e0a302f5de0a1a40fad3412195d409d0afa0a55f132e6d228c191b9c072e58dea0ee00a73eec0d8cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
260596ebe880edee1a5d8cc2b48a43b7

SHA1
c331d5a38ea59277dad2468b115639d9aade6ed1

SHA256
43080d7bb0b1787bf7d1310436b6dc2f5274b13499aa0ca71c86acabffd19311

SHA512
a356f7679f9f584e3cbbc6dac27019631b0b91ac9d058049bc2e245b44cc7fd0290be00bf71f36732c5a0e153a08ce9e7d378f62cd7a5f6cf965c64fc0a58085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77fb50.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
8ca79259f462e56c67dc70c9d9b282ec

SHA1
c8c9a2159aec773ff13e7797f9046f1f1cbd7280

SHA256
0a0b41796c320241904486b304d61fa9f934e458b903f6336fc9dd6c37854520

SHA512
c9e54e4a65d54c46cc49f3cd705e40ed1e480b1e8497f2c1ac4eddc1e3372fccbc2c7ed462a300f85e4075b0b70e04fdd324005813c417ae6ce81616277b353c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
685B

MD5
a60a2e8e3b2e2e2126c42b3bc3ff90c4

SHA1
24cd2af4452ebd9e9e3e3a59cf02cec054359ade

SHA256
6e1ee4ff58e120641624fe320a79515530c29c246b70eb15de95b6dd2a454ce8

SHA512
a5ab821790f2552e05b60ac9cd8f7c996574680da9df4d89b7b4f5b78df7961fe5f2a3a2b9d596dd213d034ee3d565b6eba8ff2b5a4440e69835acf146ab00f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
aa542605bb84b0bfd4f1fc1e41968c15

SHA1
fe725a14904259484f1b0f4213e376a4ebedce67

SHA256
ac884df8f6d2e40b4eb32128b490b1a05a67d98a3d1b5a12d67350d33192f2b7

SHA512
f2564bdd243b911ee8fa816609a4b4803a55a49ea23196e4cd16783c4ba4904bb29f88738bbddfe3ed6cfcc732e9f4c0b8f66e893b508fc0e9ac59dc107226d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fafb1daad76645b4232e5f207446d4c

SHA1
be0b14267d011a546f586263d21a68be3c727c2e

SHA256
70e3086f1cbd51c668d749b5f950c3a39a4744e116dd5cc5d452d922ed195edd

SHA512
5aa4c4d2da28630d16dbd2e2efa816c33ebe64dbc6516e3714a4002e3f6c91737ed4aa23ec5225fa13a0b5468bca2bcfdc7839df6c6fa898a00a4b8890c54d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e374ef8617887dbf189995cef615d572

SHA1
4f1ae39a302ea7d3fe90cb329c4acc38a164a3d6

SHA256
5d2dc5ec99a27b906134f4cc7ed0dc67431cd6f911394eaaca46ae2ee9e74099

SHA512
2d55ad2f277bfc3873834c8e530cfeb46a2955e31119a20d380cf05c62ca5a61d7e9db79e509b5418a96cb451d58d9b9eac3fd7db53ec0baf67454384bca0152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d0b127411bbe5101ae1063d0b1086294

SHA1
d26b03f089c7f5d83e2020b3c1f438b9d00913e0

SHA256
0440011108242853d8558ff775557add7891215e5048d50a0562e2ba963693a1

SHA512
7d4dd47a77daf002d273b898d065b9c8bd3a2e79ca908d808056398c6c70831f09ccc76811a1eee622f496d1dcd7c5df4abd33ceeca30ebe1d6440e1d518c8b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b75cc063be4f33a5ed110466b19659aa

SHA1
6b222de691bc3dcd7a682555a6647e19711eaa33

SHA256
ab66513828c756938456ce3a03a03fee7779077272f9c43bcbc385e7b77745e7

SHA512
4c625e4fa169f042ff585a0602e3f271366291afd52edae28a9e0e5092170b626b649555770e6b245a7bb39be030947dd04d72ee256f32fe9f7e718a88742f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar915E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
af92d89b4c470c217944a339890efc05

SHA1
e227bc0846b08a9325eeab41a54139d43f8c6c4a

SHA256
56182f1b209da3d29199b42de08e9a637a3f13e5ad3edf077968f6cd2db02706

SHA512
455fc33ff1c82946a3fa4fbb3fdb611d146574fb4c228962204c70296374b91af5eabb602235dd6851cfbeb10518b3796691ec26ee3f25f621d2773fa91fe613

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808876.crdownload

Filesize
2.3MB

MD5
b1f4bc644f535c745341de0303631d9c

SHA1
8d66e30416004cc2e98334a276c181ae1e67be55

SHA256
5d8d697707c89466cfe203bde7e242680d020646bd5e49edaabd67fc6a7d6321

SHA512
e3fc8eed9061dd8c555a26c29436c7c5218c6409096e37d11b34edcab448d5c3e9f7dff5e5c5ab2a0e3ee96da666b3be7f2b3f028fc122f35f74c51518aa0d44

Download Submit
C:\Windows\Temp\2f5e7h6l.tmp

Filesize
37KB

MD5
e00dcc76e4dcd90994587375125de04b

SHA1
6677d2d6bd096ec1c0a12349540b636088da0e34

SHA256
c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

SHA512
8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

Download Submit
C:\Windows\Temp\2f5e7h6l.tmp

Filesize
37KB

MD5
f156a4a8ffd8c440348d52ef8498231c

SHA1
4d2f5e731a0cc9155220b560eb6560f24b623032

SHA256
7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

SHA512
48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

Download Submit
C:\Windows\Temp\2f5e7h6l.tmp

Filesize
37KB

MD5
1f8c95b97229e09286b8a531f690c661

SHA1
b15b21c4912267b41861fb351f192849cca68a12

SHA256
557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

SHA512
0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

Download Submit
C:\Windows\Temp\2f8e3h6l.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut22DC.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut22ED.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut22EE.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/1848-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1848-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2576-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2576-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-512-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-536-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-520-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-170-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-532-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-534-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-535-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-519-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-608-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-502-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-423-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-225-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-660-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-661-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2836-201-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download