1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
47s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

5^/10

discovery upx

Malware Config

Signatures

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2800-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2996-44-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-173-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-174-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-220-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-294-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-431-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-510-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-585-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-616-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-625-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-626-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-628-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-629-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-630-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-631-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2720-632-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2800-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2800-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2996-44-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-45-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-173-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-174-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-220-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-294-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-431-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-510-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-585-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-616-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-625-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-626-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-628-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-629-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-630-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-631-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2720-632-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241013233154.cab	makecab.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2800	dControl.exe
2800	dControl.exe
2800	dControl.exe
2996	dControl.exe
2996	dControl.exe
2996	dControl.exe
2720	dControl.exe
2696	chrome.exe
2696	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	dControl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2800	dControl.exe
Token: SeIncreaseQuotaPrivilege	2800	dControl.exe
Token: 0	2800	dControl.exe
Token: SeDebugPrivilege	2996	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2996	dControl.exe
Token: SeIncreaseQuotaPrivilege	2996	dControl.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe
Token: SeShutdownPrivilege	2696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe
2720	dControl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2028	2696	chrome.exe	36
PID 2696 wrote to memory of 2028	2696	chrome.exe	36
PID 2696 wrote to memory of 2028	2696	chrome.exe	36
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 1580	2696	chrome.exe	38
PID 2696 wrote to memory of 356	2696	chrome.exe	39
PID 2696 wrote to memory of 356	2696	chrome.exe	39
PID 2696 wrote to memory of 356	2696	chrome.exe	39
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40
PID 2696 wrote to memory of 2588	2696	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2720

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241013233154.log C:\Windows\Logs\CBS\CbsPersist_20241013233154.cab
1⤵
- Drops file in Windows directory
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5f99758,0x7fef5f99768,0x7fef5f99778
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:2
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1552 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1136 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2152 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:1
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3912 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2340 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2696 --field-trial-handle=1080,i,10876629822432709197,11499726724982258198,131072 /prefetch:1
  2⤵
  PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
70KB

MD5
a8bc992bad7bae98e96d1c839fc939e0

SHA1
83c183c786ee2952427db80c6e91de04d800b3de

SHA256
6e7da6e50ed27be4e94e33192e0cc7b6c71570a360054a35786b7a8c36f94567

SHA512
3cb4d5b9bffdf5a8471e278693ae9f5121cf976ed4e431f7f8fea5bfb7e783c44ad8f5309f986e3badacbefc1704cb2ef611da0ef06ebbe7d56fe74afea5597c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
422KB

MD5
b76280f2ab86f3f1e6bceb6d90138aad

SHA1
ac1b90fb070d9c02eb4442886c92652ee290474a

SHA256
0e62af7ddadf47efa6bbc0ff45a222ce358ebe8410e7d28ec0e4ca127c947f45

SHA512
dd76adcc8cb2fb585e2be0b590a19210d1df9c2e8855ba7653ac3309fe5a621a6c0c7de7ec5ab58e5d8af35c6114b491b8019bb63b22f279378fff9a79ceb54d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
255KB

MD5
f63752425a660e4a8a30f0995b0a44d1

SHA1
9ba991e3cdba9910b3b51a149aa88355d22d04af

SHA256
cc8c5dffd9f95683253b7dc733c22db2633114169e45420aae4393dbe13097c3

SHA512
1806791769b1cbe6b1495efcc66d7bf78714f4ccfef24cefac72ed6b082ad08a08b860639450d95f79b5bbd781eb74c138f215b2ac99bec7cda2e9d832ccb78b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
168KB

MD5
3f6c5d514290596ff4f2e65fd6799db7

SHA1
9f906b1a03663311398ac99a6406da9b030d49b7

SHA256
12af5ae614f78775181955bb0ec8ce5e7f7ff01561ddba709f3c551d6d4b1d8c

SHA512
a9993a9de8a08aa30efb662b7852cb040de2216e7271805cb0cb9e064354cd04f8d7928aefd3c95f10bc3cfb6e987a1e6f5e858c3904c20e5a920688a39f3873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
288KB

MD5
4ba80eca8d3bd474b472a908a986d7a2

SHA1
89452b2afb861bc140fa5245c27375e74e2b1474

SHA256
15da3fc71f8f197e032e87e6177a57cb0768b48ac439d97f1b5a90af5b29f292

SHA512
6a263072b40fa8872c3484f5edadda74dccdc467acc4401fc09bcc49f05f4a23a02830cdfaeba4043fb48a8eb40570bdf866fd2bbc3987b7748f9966be4689ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
21KB

MD5
c69b39cca3a3c5a67c0b25111f965411

SHA1
1314022da524c52eb53fa547cdaf0db012a0e589

SHA256
d44d542daa3d49d6185f400cb3890eeacf2ececd3ca6ac68b940cca9215ccd2d

SHA512
94a33f12f04ff64e9a277546197a7e8867ea7f69d6f09fb917de60223e7a4464ec468a352c66977a25689dd91e4eb2ade06a4c597bbd846810fd6ae6c2d0f569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
186KB

MD5
9c904a50adc70106cb8f138b752827a1

SHA1
ff1309a1b3cff8fd5113a25f03589bef96cdbdd2

SHA256
c9df3fea1bb4f6f952b22c901c0336f3ada7fee28566ccd0b04b4ddd91a54329

SHA512
33f1f18a7bb82de3480643d13c1bfb6d6bfe6ae90559389b0709b949d2a62bac97c00792c15733310bfb456c4977851cfe8c55e4c3e2c5b3c66d1b5c03ebefe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0a0579eb962b8bc4_0

Filesize
347B

MD5
ed8bacb46d5fb56fac5edd856ec795b7

SHA1
89931a6a44e12f0d4cf5691d61d9da9286cdba6e

SHA256
6f344fcb5351a19e1e4ac3dacf30a85b9a92252908f3a0b7d82a81efceb51f97

SHA512
a06a6bb1e360e86c053f7873a9a718a26ea2b5aafbc72f46dae47ea4ae07c7221de0880d97095e09fd3cb54d5a17ec58bacaac66da8bff91d40b72db6d47d24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6e26ffbf7c6e8112_0

Filesize
236KB

MD5
56587d97dce14fda445e007797ce8e52

SHA1
cfc0c8d62fe517902a3a5e80ce17c1663d6688d8

SHA256
a4e8b31c139f046228d1d69c532fd5265e31f25a00cf8a16e11324e55a56bcd9

SHA512
4d3d8ac9639b27c25a5c880b81138e610f795bc5b0b9c07d46688d4702c4aefe0e70ebd37d7a0073b0642cd8c2195c55122a7e2a55f60b4ae29383208763eb69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3082a01198029d77585718ce92b8e33e

SHA1
fba792a78b1de2369e4fcb33d896cfbf4f904db7

SHA256
83eeefbedf28d55011898d83ea79d7845f6b17fe1479da208afadfba0f354be4

SHA512
c7be79101aad4a144e5c81dd3622a7e753192156f2f24665c2bba92eeb795e81bb8225f9272fc2a2180f4e062841c7ae3edd0d530ef487fed94e979c61c1b577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
4aa3cc2926371736064c54b7cefd03f9

SHA1
f2ef2ea30ca6b9f5d931ba3473c75fe4b6e2833f

SHA256
8c83e044ec122276cd08801a1153eb6e0557f50be8d9fa6095cd498540468bf3

SHA512
2246f03650117f2e7d440522fa0d3ca1e05a637f31963c8c1e08d30437d93d55727b69a605fe8d8fe9a4051a45cc5d9f1e6932c1d5de9879a39aa55082206d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
9fd27ddf53edf48712361c17f17e76ba

SHA1
0edf253a9c99309f7ba750a495c6b619f15fa8ee

SHA256
fe29cb191926d089a7e550a68f9028c24a97de3ae93be3e59e8814de467c1527

SHA512
025af300c11b3dc10abf4710d5f9f76947992900a2a14f5c9ddbbdd887d334ee16d17f961f6dd03e962f889ad60cb789d4c13f9c470da89515c4382ded8a4d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
6b9ceffd012a74105a5840d32ea2ad00

SHA1
26a4d83120a60935bbe3a1923ea9993fbc90b9a6

SHA256
ebc78c21d7f36eae28749950cd97a7a2a063af2cec69aa99a802a7c875341e44

SHA512
7fff6611d811f55c4fc13a757e77e628a6057564c6046ee131ea7745d6eee6393d6803bc131cadbfef7d013ec2ce5ddb923f26e86203b93cbb5d28b857f0466f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
2fc96d3211863cc3da5d51bd50ad9b78

SHA1
d4cd737231428c7510a07e740e8f81e6bc2c6dbc

SHA256
3dfaff8a4d1040c9733ae86f7848c0f862ca6305dac6c124facbe9538e23891c

SHA512
b793691a80632f3ac8951a410459fc279ae9d6731b975a1c0b56764fdf17c6057ff07fa1e2075ce422fb66e7905fc8fa40a3fba2ce39ba46dce458aaf5e27f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b36c927e2f21bfcb16102b1fc314f4ea

SHA1
2f6d5446332c04d76bf446bc72fccaf68b68ad09

SHA256
8136462e4d8dee62dadbb46903c48e9a5357abe79594a125702db1f105763255

SHA512
0146de686ba53e755a1d46f61ac6b7e95b1102174a4c0de101b2f4e55b5366f1244db4536ba79c14ee25aa779a99daebc73ce4df7790e960fa7a058ffe0f9f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9b676c84da367f3910623debf84ee1b

SHA1
97e72dbc3d4c110b5e2f8b13da059a0388977661

SHA256
e4098013f16c71ebe6aa950fee348cdc140750b2384d0a537977b955b0d1cf08

SHA512
7d8209d24b0e500545d65036168bf4a75ca222ae26c011f9a40a5cb8f35b69eaa55c1805a086d004a09edd95de95f052fcb1d026993c147f076a0d9dbcd3b7a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aa38e1b47265b492de02b01d1d0895be

SHA1
31d05823807a9bed0af3ee4d95b8c8f1f8eece96

SHA256
c518a9cd5ab9e664b04849e47cb41753ed4f6263037944c7386905a1cdf00bc1

SHA512
e9a79f144fb9a27f4607a39a64782af1ec9353049da51275cfe4e8e65d860e931b36642bd4695408df82ab9277e7e3d15c301a9ab8344906c1c71be8adf1c39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
341KB

MD5
a2cd7a3c90124dd87a734f6ec5272133

SHA1
8f0b09211674f98bcfa1c8dfd4c55a61b9ab25e2

SHA256
cdd4608c18e5d30c38adf2950be931489b7e0a6a4ea413de4857659e940c90a8

SHA512
9b987a098be13249e6bbdf730a7886641557708eb709af0dd8e3583734ddb538752eced497f1ef3f1b48b46b9f67e6d7d5d2aabaf4140f1a9059fa7026d146e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3AB2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AE3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
327115ca525f5c17934812c1e9f780c7

SHA1
412b7378f1d12f356b2f795573d79ca30b42377e

SHA256
5e23a994d6720e670437020d2c5366d600cd005f407691f747ca5687fbc5e7ec

SHA512
212d21aec2af43a329b2f2aabc1b6ad9c4b445bc8447368c830d089c4ae5d91e672fb863c5803881172a8e73e2fa4568284890f417556c53c6c2982c503f5d5c

Download Submit
C:\Windows\Temp\2d9g9m6w.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut8057.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut8058.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut8059.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/2720-625-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-628-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-510-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-632-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-294-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-631-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-585-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-220-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-174-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-173-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-616-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-45-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-626-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-431-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-629-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-630-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2800-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2800-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2996-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download