1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
132s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

10^/10

discovery evasion trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	dControl.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2696-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2812-23-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2812-45-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-106-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-164-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2424-191-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2424-212-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-220-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-278-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-321-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-356-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-366-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-371-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-376-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-385-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-413-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-442-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-443-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3044-451-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1"	dControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dControl.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2696-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2812-45-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-106-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-164-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2424-191-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2424-212-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-220-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-278-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-321-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-356-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-366-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-371-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-376-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-385-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-413-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-442-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-443-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3044-451-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20240806053432.cab	makecab.exe
File opened for modification	C:\Windows\WindowsUpdate.log	MpCmdRun.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2696	dControl.exe
2696	dControl.exe
2696	dControl.exe
2812	dControl.exe
2812	dControl.exe
2812	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
2424	dControl.exe
2424	dControl.exe
2424	dControl.exe
2712	chrome.exe
2712	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	dControl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2696	dControl.exe
Token: SeIncreaseQuotaPrivilege	2696	dControl.exe
Token: 0	2696	dControl.exe
Token: SeDebugPrivilege	2812	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2812	dControl.exe
Token: SeIncreaseQuotaPrivilege	2812	dControl.exe
Token: SeDebugPrivilege	3044	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	3044	dControl.exe
Token: SeIncreaseQuotaPrivilege	3044	dControl.exe
Token: 0	3044	dControl.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe
Token: SeShutdownPrivilege	2712	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe
3044	dControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2424	3044	dControl.exe	44
PID 3044 wrote to memory of 2424	3044	dControl.exe	44
PID 3044 wrote to memory of 2424	3044	dControl.exe	44
PID 3044 wrote to memory of 2424	3044	dControl.exe	44
PID 2456 wrote to memory of 2224	2456	explorer.exe	46
PID 2456 wrote to memory of 2224	2456	explorer.exe	46
PID 2456 wrote to memory of 2224	2456	explorer.exe	46
PID 2712 wrote to memory of 2592	2712	chrome.exe	50
PID 2712 wrote to memory of 2592	2712	chrome.exe	50
PID 2712 wrote to memory of 2592	2712	chrome.exe	50
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 584	2712	chrome.exe	52
PID 2712 wrote to memory of 1488	2712	chrome.exe	53
PID 2712 wrote to memory of 1488	2712	chrome.exe	53
PID 2712 wrote to memory of 1488	2712	chrome.exe	53
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54
PID 2712 wrote to memory of 2720	2712	chrome.exe	54

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Modifies security service
    - Windows security modification
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
      4⤵
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1196|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2424

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240806053432.log C:\Windows\Logs\CBS\CbsPersist_20240806053432.cab
1⤵
- Drops file in Windows directory
PID:2208

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:332

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1856

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2992

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2492

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1808

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1612

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2224

\??\c:\program files\windows defender\MpCmdRun.exe
"c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService
1⤵
- Drops file in Windows directory
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef58e9758,0x7fef58e9768,0x7fef58e9778
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:2
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1572 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:2
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1628 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3712 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2436 --field-trial-handle=1208,i,16891283953373820962,17950038502380485159,131072 /prefetch:1
  2⤵
  PID:712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d2b7540d3182660428d41605ddf3d7ec

SHA1
cfa5950631b8bcfaffaa4defc1c51383885d176c

SHA256
8bf0bed2deb6a25bdedb422617f1b95603417f92d1f8b804b1ebc196ffa92506

SHA512
3ff71b62d34d9a724f85541f3c305110180d9271eeb43d08aa24a9cccb8fc2e37de0a7bf2538c281111b0930437538203967423bbd68dc3abdf646d2b0f07867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
4ad2b24272d38745e6ac543cdfce4794

SHA1
55d016be2448ff6f758dc3f0161b2444fda2c003

SHA256
1a476d1c9f9877a3b235a6331bdcf85d8240ea013de486079b8dce9fed06570e

SHA512
2bcab81ab0bddeb45cf7ded7a57d2faf144c1e642b62245147b1956d931ad51a09d045c1f56e6df0c5c725fc5d434677cb91a2667f6bba4b2e9791d947f3c45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
357B

MD5
6ad7d606910f563c2896016a49eb6af7

SHA1
97dea5c50d74c960530f71a5e78bed768e54b500

SHA256
aa198777a5604c6378927a6268088e4b3966de94799151a9636deefeb744d445

SHA512
977b97e4089383d9ff5cf8f9abbfb492b258ea37ad0fbf56eb2b557b6188c61a299f68aa46c2e87a2a7921ce375865ff4a47ea8fe2844ae72c627018bc6a6f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
28c748c428b4d6695d1cb85b765eeb7d

SHA1
0153e0a624e1f426f2d41b2bef4711ae49c9711d

SHA256
7aceff3be2520740ae2bda75707c3d87a2c31b2825e7b0b166ba19fac0a9e8a2

SHA512
509600a7cf91e86679c6939955a10dfa485dd73507e4f1121e85adf2fbda8b7c80e58c376e564742ea1c57c43e351ae9e77da63a4be1576c906e1e8feae9f384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be16cc9afec0c5319f5c1c4ecf151b6b

SHA1
e1f8197b205e9770779efee05067df5cb19ac62c

SHA256
1adaa6e8095bf4bca316ed43dd6ccd2be4d0b0dd1a8a041db5a96dc84606ed5c

SHA512
2eb777cc7de025fc2e3293f206a5948c9ccc5db11160678ecee7b73d2347952dc43c51824bc13fc003c5e215e2bb988a3982cde19068826f1c1119a0cce97c98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d64a1f1f7f7f1256e5fff74f07955b13

SHA1
ebda59214bcc3fa71a34f1274b682c03226873e2

SHA256
e811bc690f1fe39898acc48432987f05901f504b289a4e847d4c9f1c776550bb

SHA512
25482c7e2003aa4995e8f1795264197238f40dfc0a7b7daf08b67b0421e21b79e7777b5a7b9bfdb6f8b22ca792d2217f0676d68841736afa9d54685d794be9c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e1128565da473fec8ccdbf5b3b34e33d

SHA1
9ca6515a1825d068c5b6eaf7cfb1cb67251f408d

SHA256
a84f4d5f1d03d4d8dd36e231ae855e91c8c34d151093078dfd85d13c7cc683b7

SHA512
7e4dfa5c81d8c22585578c3d8ee58bbc632f9fc84c2e815a16568631d085e6b4a4dbbc63d18288064117cf45dece26dc22c5f075ef412ee57100cb413c0ce94a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2h6e9j6b.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
e6ea41ae273d75b2d359fc8206a08211

SHA1
dcf503f73792fb3acccc503f9766f4d7ce2e4944

SHA256
37675d5db3ade22b3958d10021d04abbbccd6fdc9e6f3d024450eaa186b41c0b

SHA512
c9467b51721ddb4169208a2a07c78ff7a032af7447fa2049cfc6c11a90252b9d5810e2ed1acad8365bdb9acb4268f3258623ea6676be5c0f5569c159ccdcc170

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
160B

MD5
58f8eb09a822c09fc11f5a42baae36f1

SHA1
9e7063eeee62c8588e0020bef3a116e9379966aa

SHA256
6509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a

SHA512
53806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
8B

MD5
8e1b08222f20e45a3e8db04c569f9cb7

SHA1
a6ac68fbadf96faba3af7000a7514790157f930f

SHA256
5bb1f21f806938a043563024b13b33d74a2b95b767c5f81bde8456e9d0413a89

SHA512
414d30dec0fce6b4e3ab52c50f064262e0df00cf9dbbeacca271a0991555371a37cfffdd0486c07a9096838942a69cdbefea4a4399ef2848139678daff589c31

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\2h8e1j2b.tmp

Filesize
37KB

MD5
f156a4a8ffd8c440348d52ef8498231c

SHA1
4d2f5e731a0cc9155220b560eb6560f24b623032

SHA256
7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

SHA512
48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

Download Submit
C:\Windows\Temp\autF45D.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autF45E.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autF46F.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/2424-212-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2424-191-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2696-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2696-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2812-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2812-23-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-106-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-356-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-366-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-371-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-376-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-385-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-321-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-413-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-278-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-220-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-442-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-443-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-164-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3044-451-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download