1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
95s
max time network
94s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

10^/10

bootkit discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	dControl.exe

Disables Task Manager via registry modification
evasion

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1952-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2544-23-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2544-45-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2224-46-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2224-109-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2364-110-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2364-132-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2224-146-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2224-144-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2224-157-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1"	dControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	dControl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
92	raw.githubusercontent.com
93	raw.githubusercontent.com
94	raw.githubusercontent.com
91	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1952-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2544-23-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2544-45-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2224-46-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2224-109-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2364-110-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2364-132-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2224-146-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2224-144-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2224-157-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20240724221934.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4012	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\salinewin.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1952	dControl.exe
1952	dControl.exe
1952	dControl.exe
2544	dControl.exe
2544	dControl.exe
2544	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2364	dControl.exe
2364	dControl.exe
2364	dControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	dControl.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1952	dControl.exe
Token: SeIncreaseQuotaPrivilege	1952	dControl.exe
Token: 0	1952	dControl.exe
Token: SeDebugPrivilege	2544	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2544	dControl.exe
Token: SeIncreaseQuotaPrivilege	2544	dControl.exe
Token: SeDebugPrivilege	2224	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2224	dControl.exe
Token: SeIncreaseQuotaPrivilege	2224	dControl.exe
Token: 0	2224	dControl.exe
Token: SeDebugPrivilege	680	firefox.exe
Token: SeDebugPrivilege	680	firefox.exe
Token: SeDebugPrivilege	680	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
680	firefox.exe
680	firefox.exe
680	firefox.exe
680	firefox.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
2224	dControl.exe
680	firefox.exe
680	firefox.exe
680	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
680	firefox.exe
680	firefox.exe
680	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2364	2224	dControl.exe	39
PID 2224 wrote to memory of 2364	2224	dControl.exe	39
PID 2224 wrote to memory of 2364	2224	dControl.exe	39
PID 2224 wrote to memory of 2364	2224	dControl.exe	39
PID 2496 wrote to memory of 1428	2496	explorer.exe	41
PID 2496 wrote to memory of 1428	2496	explorer.exe	41
PID 2496 wrote to memory of 1428	2496	explorer.exe	41
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 1340 wrote to memory of 680	1340	firefox.exe	44
PID 680 wrote to memory of 2268	680	firefox.exe	45
PID 680 wrote to memory of 2268	680	firefox.exe	45
PID 680 wrote to memory of 2268	680	firefox.exe	45
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46
PID 680 wrote to memory of 876	680	firefox.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Modifies security service
    - Windows security modification
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
      4⤵
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1188|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2364

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240724221934.log C:\Windows\Logs\CBS\CbsPersist_20240724221934.cab
1⤵
- Drops file in Windows directory
PID:2728

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.0.345315534\2017310042" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7555af6c-5824-4d12-8570-1c4e0efe2af7} 680 "\\.\pipe\gecko-crash-server-pipe.680" 1312 45b7858 gpu
    3⤵
    PID:2268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.1.844669957\1098783578" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43be06da-0cae-46dd-abd3-c36944aaa64d} 680 "\\.\pipe\gecko-crash-server-pipe.680" 1488 e6f558 socket
    3⤵
    PID:876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.2.386043928\1451256426" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30717aca-f398-4035-89f9-514fff34412f} 680 "\\.\pipe\gecko-crash-server-pipe.680" 2100 1a5a1258 tab
    3⤵
    PID:1996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.3.752050619\344157331" -childID 2 -isForBrowser -prefsHandle 2476 -prefMapHandle 2072 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f85dbe7-6c55-4d86-888b-41d64d58ba22} 680 "\\.\pipe\gecko-crash-server-pipe.680" 2480 1a689558 tab
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.4.1822683398\72023918" -childID 3 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b553fa4-77f5-4c49-8f8f-91d77eae3054} 680 "\\.\pipe\gecko-crash-server-pipe.680" 2976 e68458 tab
    3⤵
    PID:2484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.5.217704462\971970070" -childID 4 -isForBrowser -prefsHandle 3712 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed50871-8075-4b59-bcf3-b7e1b54d2ca6} 680 "\\.\pipe\gecko-crash-server-pipe.680" 3696 1e752b58 tab
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.6.1360051547\336006147" -childID 5 -isForBrowser -prefsHandle 3852 -prefMapHandle 3652 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {961d4163-fb12-4255-9478-e02b3ae47634} 680 "\\.\pipe\gecko-crash-server-pipe.680" 3872 1eb60258 tab
    3⤵
    PID:1700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.7.355431436\260308815" -childID 6 -isForBrowser -prefsHandle 3940 -prefMapHandle 3880 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36fea28-2738-47fb-b8bc-f9ac6fff92b0} 680 "\\.\pipe\gecko-crash-server-pipe.680" 3928 1eb61758 tab
    3⤵
    PID:2880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.8.191334714\153071393" -parentBuildID 20221007134813 -prefsHandle 4404 -prefMapHandle 4400 -prefsLen 26356 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3872a609-9e15-4041-9dbd-54d960e9b3b5} 680 "\\.\pipe\gecko-crash-server-pipe.680" 4416 1217c358 rdd
    3⤵
    PID:444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.9.477401339\864665570" -childID 7 -isForBrowser -prefsHandle 4628 -prefMapHandle 4632 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0bfd9b2-d7fe-43f4-b35c-78b68facf1ec} 680 "\\.\pipe\gecko-crash-server-pipe.680" 4616 22091858 tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="680.10.1683736092\1833528628" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 26531 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {170b6e2a-4b28-4cdb-9d12-44f7afe54e18} 680 "\\.\pipe\gecko-crash-server-pipe.680" 3432 1217a858 utility
    3⤵
    PID:3604

C:\Users\Admin\Desktop\salinewin.exe
"C:\Users\Admin\Desktop\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
9ff6fbd7847d5a53fb2d1798fb714f70

SHA1
bfd960e90fb7627a10badad6762fa811152a7309

SHA256
d045902b0cebcf00d87152897ab2c8b681b460b40e0a3d1e86167a562489c367

SHA512
7565734d327a02bbb3fae951fce09341cc5a7a39eb470ea3c8bd9b6d8ecc8ede0aac34d07883cfc5c45e9a8dc0e1330e628c625d49664a4dd0a41dc382640aff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\doomed\20459

Filesize
52KB

MD5
8d318fb67257d076b0cb20a32767ff1e

SHA1
7be88800b3ab832b952b463b9c701e8e029b8984

SHA256
48400f4d6a15fea3a3cfc6cffb225a3ac85ada48d49039e92fd9221e25be0112

SHA512
d0edbd3264fa7700016b58b048f7328c46b651717f103089b4aac971a95f40e4149c12e73036a04b3e2d8386b0208ccf0c5605956a72c66df5e9ec05c41a3bd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\8F8D0B9581DB6444556B653E5C7E0AACC0EC8F88

Filesize
14KB

MD5
cbab57bda0ec98a444469a2d586c395c

SHA1
5e15163a64e7971d5b6be40a6e1b8f9223533b6b

SHA256
e3f368fb5c6ff43610ca199d0d912e9c88dc2b46fb51bce1136fb5326c4c8a0e

SHA512
6b44cec7cebfb105509fac97034add8db1feae54a2cc80553d70714aabc6b1cff014a3dcdf23d675860bd7b750936174954a33bd046bdf88eb3495dd3a6b3e54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\A7CF3ED5C01DEE0C144A5D0CA5CF0BA94AA917AA

Filesize
15KB

MD5
8ed42ab64d75072f9d2ac3e18b989a87

SHA1
d33d4c4a58a3e24cdbd6ed4af38d2cf3484f5571

SHA256
919cd658d98e61c647455ff520c25bffd0838251a2fde4ba1a57dbb4e3968218

SHA512
adb6597af4eaccdd241d3f07107656d0b774ad7131475b7013da00def3b2e0bdf0a9d376b1917f84df058b9b2ab647b660cdc7bb0ef021b32b63bf0ff769e19c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\C7419CDF027B9C80E92D8F4B0CC3228414823B09

Filesize
19KB

MD5
b4bd3270a2191db36a0419600c320a9c

SHA1
2c9f7f4e1264432b92aa79ba9536ac40e76a08d4

SHA256
53fd69aa41b25cd6f5ba857378ca9eccda75552fcd97c5f391ae07d66bbd3042

SHA512
3784f2e8d80d1d10fa6d4e1911ab165bfa678b1724761d25ccfd842f9d5ab6df062a284ab3eccfbb963ad89d8ac4be208de06cef845824c0bbb48ec9c613b820

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\id09dv1m.default-release\cache2\entries\CB81BE30BDF35C485C8014794CE8834186130544

Filesize
20KB

MD5
ee6bbd67a27c7af830ce32c923cea2a7

SHA1
52f575f20fb7514ff8e937bb89f17a7c5e7af22e

SHA256
b731634f7658d15f04a84e1f03524f2f92e4db11ca13c6cf1ea956c8a43de7e1

SHA512
7c98301b95054c66dcd8663a372d28786dbd65ccbfe25c83e3bda73d4467923b124dbd075363ba7cc9cfffbe63253253952c77722f6c79464c42d684d2c51b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1i9n5q2c.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
eb6cd247542c0d613d0656b678d70b18

SHA1
10c1504f510bf4c9727f393372459063c19793fc

SHA256
17a0186471e550faaebad83faf154888947e69d4f11390a87cf98e79c0ca10db

SHA512
24d83d8819b0404d95c85ccc275c3fe7297d7c7b014efa6e41d6273e020f0664008e365dff224216dd849779d38bd5dacaabdafeab3a544b94f995e5d075c2c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c2ed7ee7008dd80a0bfbb602d73372b9

SHA1
1c70fcdf66b75e1dca9d006366765659d335bcce

SHA256
fdfea0f95d7ea896cb8cb38572a98715a8d5e9638611b113b2afabbc88c1a2da

SHA512
bfa0382717317f4fc7931630bc4d322fcf8f8091aae8d5b26821769b7e5d9251b5b829c018329a486cf0321cb081254b8e12d47c831084d3782f3a48bec2fe73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5b5489e0ec94e862343910aec4c294be

SHA1
b40ecdee3a92bccdda971ae39dbb80d6662da4e7

SHA256
5d24ba15eba4fab36a072d220fed314ee21ac7da498343ba4e63d47e970996d4

SHA512
d17fdd62f0412feee72cf78b3072d0d86733988fe86ebc5f83bdc42af3a8ae131c2adf0d03e4737739586e538afa336c93f0ef7da0d46b6556e9fbcd30d2e609

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\41963146-8c9f-47db-823a-edf52f5e482e

Filesize
745B

MD5
7730ef30ce42bfc786af0bc9cc7d5ee6

SHA1
2d335ce9bbf2106033f4c5ee40864c3fa219d940

SHA256
c0174e24678392289a5bf5389624e1396da001eab143a821ef53e506dab8f394

SHA512
92d7d524afaff6580c7d1815e7dc16e6c165562d683f2e95b551aaaba1f5d686ace6bb5323e324ccb96fce3b1b10c49fb5c841f5f1c1e2dcc359bea1c8eb5e65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\datareporting\glean\pending_pings\741acde2-f2fa-46e9-b7d5-a81c5f220b8e

Filesize
12KB

MD5
4d689513ec3176e091438d692cf00e6c

SHA1
98c573fb96059dead631b39e94a799ecc4b440d2

SHA256
978585395fb885a6b019ae199fb426e236d4f1d14c7f82b2fb247c6d2ccea9e4

SHA512
d05c965c4f80003052a66d7705dadfb7751f51ae830ac1e42ddcaf37e01a0c75920d7831e9629515a9755b900b14a165ad0ec132ea3c8233a2fc43ee21232501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
e5d7606c2319dd4ea1070547b63890dc

SHA1
bfb170e234aed695e93459d6298311a9fcb7b380

SHA256
3ab27b59b396c962f0918632d832810c65a55ddf4d795c733f2097519254fe61

SHA512
803ebfa58d59c6b55d10818d1a37d9414c274317b432dc60aef1198468e3d91618a811e8aa06a3e6fe5724f43abf565afde9cca51099066c079a3b856e759d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs-1.js

Filesize
6KB

MD5
45043c1ee0f83a3859327f9bb6f92f01

SHA1
c45e01d1c3d67104ac841e65564a60ca21c52114

SHA256
361b7770c0253300c73f09ccb5101bf63257b246c4f1b8276c24869c827c3de0

SHA512
58695125383efb7e9ebb1ae2dfbbf8c6f1950c909036aaea25b776d64e6eae882bca187626de3bec83629a718c325fc7ed158f86f3753a6a91c589cacd27236c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
f18a363976b5acdde0cf56aa5acb4851

SHA1
57f98db45875b5ada42fd96a1b7a0acf5a12d0a9

SHA256
221d0572198f9ad8de13987d7d42133acbc3ba664ec4d55e30b10a3381cdf858

SHA512
36cb7cfa1eb09f3ea359ca1a7af9bc33ab3fc0bc7d48f2139b566666b5c166bd8a197e745bd9383a97017cb800790e402435c461ec7eb4ab6f21a5135ff7e5f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

Filesize
6KB

MD5
d3449cb244fd6499ccd65d0de9417168

SHA1
30461173c1faeade09d65a9fb10c9f22382e908f

SHA256
bfae655bc6e2b81def10bab6a09a31586fc1c08aae5984a48f1af1526fdb53a9

SHA512
6c808492ebd9961848c223c4462460ebf38eecd97595324d07535813b82ae882506f984dc2f839c95fd77dad060ff77c7a94990a07e7572e58373308cbcbea41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6814d82eb494e73026d8f2247eed2c12

SHA1
4fc6f0ac04ddb8427d308977b81b4428b4f10392

SHA256
c690738672458ce7555c33d4590bdce9278a8635dcb0d13bc7f487d1f5ca29cc

SHA512
0502d83ab1053908423976e189f747f177e49ced465eef42eb7991c53bac776f7aacb7ef97dc28a02c32dc965317d5299f4af8841e6053c2d4dc04b3bb0fa709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
bcc3bf2c5ba973e305a78f9cc126c89c

SHA1
787e98876d7c4adc60c4f703c4836ea1f0e33fea

SHA256
fb701faf53b0e03a63a5d8afee6efeefd1bfb7eea0554b56aa2cc1aa5b6cb152

SHA512
016442d2e4fc2456263a0ad398e1b0086ad02bd6869d27eb35a481633d307abc6e3fc343d01e4567fa71280e37164a405d0ac2acca0844e4cf8fb51836290537

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6a8b558e867adcd4f8e6727dc8fa19ee

SHA1
7e9564b0a36eaff2d5f40e918874ec5c20daac2d

SHA256
e15aff5662a04e2e4e8dcece3bb6808fdf5c1e24d58be1531a4d69c1a2b90f94

SHA512
7539244a2f547a697000951ebdcdf138ca26bedb19eb05705708eb8ef85101d8279b71b938805e67bf2ebfea4d0c8dc1205eb202e38917ba6c704ef6301b2da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
c2cc30fd1dbdefaed5c210cc8417ecf0

SHA1
e0fc56e47c129407bd19be2ec29d74ad9855d54b

SHA256
368ae59914624054367e828428ad72ce95a769e1ef46ac4080d2a1c720aca369

SHA512
bf6a4313f87b39c57bba21116865a7e17bc057a7b033966634cabaca946b6356a726c434da6270b7dc1c1a0a3cb1d951023de22c3c8b0980c747775e8364739a

Download Submit
C:\Users\Admin\Downloads\1rYAtDg4.zip.part

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\2i5n4q4c.tmp

Filesize
37KB

MD5
f156a4a8ffd8c440348d52ef8498231c

SHA1
4d2f5e731a0cc9155220b560eb6560f24b623032

SHA256
7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

SHA512
48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

Download Submit
C:\Windows\Temp\autBAA8.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autBAA9.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autBAB9.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/1952-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1952-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2224-157-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2224-46-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2224-144-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2224-146-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2224-109-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2364-132-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2364-110-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2544-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2544-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download