1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
56s
max time network
52s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/780-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/780-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2028-44-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-138-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2220-140-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4504-142-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-143-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1424-144-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1424-166-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-167-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-200-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-359-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4256-360-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2040-384-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/780-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2028-44-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-138-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2220-140-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4504-142-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-143-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1424-144-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1424-166-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-167-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-200-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-359-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/4256-360-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2040-384-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702945129631396"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	dControl.exe
780	dControl.exe
780	dControl.exe
780	dControl.exe
780	dControl.exe
780	dControl.exe
2028	dControl.exe
2028	dControl.exe
2028	dControl.exe
2028	dControl.exe
2028	dControl.exe
2028	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
2220	dControl.exe
2220	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4504	dControl.exe
4504	dControl.exe
2220	dControl.exe
2220	dControl.exe
2220	dControl.exe
2220	dControl.exe
2220	dControl.exe
2220	dControl.exe
4504	dControl.exe
4504	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
1424	dControl.exe
1424	dControl.exe
1424	dControl.exe
1424	dControl.exe
1424	dControl.exe
1424	dControl.exe
4456	chrome.exe
4456	chrome.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4256	dControl.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	780	dControl.exe
Token: SeIncreaseQuotaPrivilege	780	dControl.exe
Token: 0	780	dControl.exe
Token: SeDebugPrivilege	2028	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2028	dControl.exe
Token: SeIncreaseQuotaPrivilege	2028	dControl.exe
Token: SeDebugPrivilege	4256	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4256	dControl.exe
Token: SeIncreaseQuotaPrivilege	4256	dControl.exe
Token: 0	4256	dControl.exe
Token: SeDebugPrivilege	4256	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4256	dControl.exe
Token: SeIncreaseQuotaPrivilege	4256	dControl.exe
Token: 0	4256	dControl.exe
Token: SeDebugPrivilege	4256	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4256	dControl.exe
Token: SeIncreaseQuotaPrivilege	4256	dControl.exe
Token: 0	4256	dControl.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeShutdownPrivilege	4456	chrome.exe
Token: SeCreatePagefilePrivilege	4456	chrome.exe
Token: SeDebugPrivilege	4256	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4256	dControl.exe
Token: SeIncreaseQuotaPrivilege	4256	dControl.exe
Token: 0	4256	dControl.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4256	dControl.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3796	OpenWith.exe
1572	OpenWith.exe
4968	OpenWith.exe
3776	OpenWith.exe
1012	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2220	4256	dControl.exe	84
PID 4256 wrote to memory of 2220	4256	dControl.exe	84
PID 4256 wrote to memory of 2220	4256	dControl.exe	84
PID 4256 wrote to memory of 4504	4256	dControl.exe	87
PID 4256 wrote to memory of 4504	4256	dControl.exe	87
PID 4256 wrote to memory of 4504	4256	dControl.exe	87
PID 4256 wrote to memory of 1424	4256	dControl.exe	92
PID 4256 wrote to memory of 1424	4256	dControl.exe	92
PID 4256 wrote to memory of 1424	4256	dControl.exe	92
PID 4456 wrote to memory of 1284	4456	chrome.exe	104
PID 4456 wrote to memory of 1284	4456	chrome.exe	104
PID 4744 wrote to memory of 1224	4744	chrome.exe	106
PID 4744 wrote to memory of 1224	4744	chrome.exe	106
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2988	4456	chrome.exe	107
PID 4456 wrote to memory of 2552	4456	chrome.exe	108
PID 4456 wrote to memory of 2552	4456	chrome.exe	108
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109
PID 4456 wrote to memory of 1164	4456	chrome.exe	109

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" windowsdefender:
      4⤵
      PID:988
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3380|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2220
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" windowsdefender:
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3380|988|1400|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4504
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" ms-settings:windowsdefender
      4⤵
      PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3380|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1424
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" windowsdefender:
      4⤵
      PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3380|
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8a41cc40,0x7fff8a41cc4c,0x7fff8a41cc58
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1704,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1920 /prefetch:3
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4684,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5336,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,12508601325553946991,16237328477106520868,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8a41cc40,0x7fff8a41cc4c,0x7fff8a41cc58
  2⤵
  PID:1224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f7ade43dd0f2b39855de94f079d712c8

SHA1
2b7078487d6103bccb92059c0613ffe0006e3fe9

SHA256
f235e48b4358d99b1561635b6ef09503efa3b6e3210786cb0d944652f12dccaf

SHA512
5e416b10ee785f2e378ecf1f1196328b56d70764e841a68119ea592d5205dddcf0be9cb9f52e80489bc8ac620ac32d479d07e2f7f234550f9ff7a43f0ce7d3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fafdb50312385fc41a22703d29033307

SHA1
3a5147138f25e72f1a2570a985b2cc3d2a561407

SHA256
7e0e673b8ccc50a0d5d874833ee6a79b6fbf78c3406e87f92351d5b8d94c9ed1

SHA512
dbb0c7fe60a9ccd553edda5ff7e67761ae0b3ff6a49fc52d705f27fa8231efe915e02cf16b5bd14ee90e094eeea57bab4f38c779feaf2cbb3625fa2191096899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a8270626b7139c386d99a925e62744a9

SHA1
34059a14915b10963ec412eb4cf904c6c754893a

SHA256
9f10bee5a7a62ecc91391bd9a26359763e017f31d59c5b344e7ceaa9289014a8

SHA512
e78471f4d6fec026fc56b2d5dce465ebee763443d01adbffc2dfc4c779f3502cfeefb4580e9b4ec45a3b15948031bc3c456f963ae2b5971eb764a4b42502a36b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cc695f2ab81bfcad0ec5f46fd0bb31a0

SHA1
8d6cfec88fd87e5924c79b1db550f428c1225f9d

SHA256
b4510731851701c44e6876b03b74726844b593c3767249b218c4d4297303a2f0

SHA512
016bef9eea940008b2cdff2e86c2257f1a5275fe15ccaf1463c3c69881d5333ed728c0660dc6a592f308d2ea8c89cee8b9471adb1f54dc5fcb3996dbf22add2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bf6e3eb87088173368dfd267261ae6c4

SHA1
cda18bff6319e569a1be8b76dba4c9fef5dce532

SHA256
da7d35bd9786011e6202bf5f4a326d2258e6cfdb7146c0717cce0be33ddf4dec

SHA512
a15fffc0d7199cc07ba1e19b993e2f34f6995fb8489fd1d140cd4cc41bb8fd1949efaf78ad538a3e576dcbe43aca48aa4f694b1e3d2ce56182b3a150f36ecf85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68e3d32b778c4390efd1fce1d2f4121a

SHA1
53e4b3c29239409d94c93e544be3cbbfc820d1f1

SHA256
1ae16d3b927a7acde391fafa513252d218a55a6b0e189c45a7a0d4719c45b60a

SHA512
2c89b42842c4811999524228c37a36d8b2d486043e925092d8bf472cd550a5390d2831f65767727ece71cd3d724a5abf402b0e667412763000854e2e836bf001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
843f8c42eda9af631960b5e64ca34306

SHA1
23066c2cef4f268dffb4c723d8d7cfc61f5093c3

SHA256
87dbe5f2f4e98284d42972bae0a88927114a0d2a89020fa84b0ba8676d3bddf8

SHA512
39549140b0c8bf1f81cfd4d99f0231856dc9fdf3c406fe4b25376b83bc001fb790e13cfd66eac42c986acb25a28b97de8d9557297e55daa04e076e97277ff42f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
4c6e4c0eb28d8a5a28a33d808ea7f745

SHA1
34e35c6e6bbb1ffb8c86540ce6d60e8872b06ca1

SHA256
0b4a6592848a9cf91e901f6045e8e0bc760771c1ff6e2c39b952c1701cca3a16

SHA512
abdedde398e52f0e3665977fbf4fa002dec5ba597222c5e5fe6af04ff8377aa4f89ff7e8e29cb28422a55b0155f137877982c09526648ca32593258f67f7092a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
111ff6de7ac05a025adec2d5c49ed8d2

SHA1
def22ebd74e77fcac5dbecfd9b05c79ed351864e

SHA256
120b661c60a2d6b278c8550c434867760a54297c8e60b5c613db95373e2f2c94

SHA512
d3e1c2e436f439791d982ec545f4c7c6ffa5e8c0f3c6d074a85d2d9ec9ff9bbcc15299286f53cd7722b20b0181349d0f475f2f43b918695e1e5b67016e46691d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
bf2896b13875882296eb611636a50356

SHA1
28e1079d9f1d2531ddc609b921057226aeaee56d

SHA256
266a439120cf89f362f8641f9ff3eecfd013078750d22f583fe6d7c8090b765d

SHA512
747e1306711d5f9062c6a6221c206e00882ede91e4088f73cb56834aed3fe193fa622c725a0e1f86ec0972cdf2334e7b9371d5805c5e344f8face0a35df58bca

Download Submit
C:\Windows\Temp\2z0r2x8h.tmp

Filesize
37KB

MD5
e00dcc76e4dcd90994587375125de04b

SHA1
6677d2d6bd096ec1c0a12349540b636088da0e34

SHA256
c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

SHA512
8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

Download Submit
C:\Windows\Temp\2z0r2x8h.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\autA2E7.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autA2E8.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autA2F9.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/780-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/780-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1424-166-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1424-144-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2028-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2040-384-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2220-140-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-138-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-200-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-167-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-359-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-360-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4256-143-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4504-142-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download