1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Resubmissions

20-11-2024 22:59

241120-2yey8awcpr 5

20-11-2024 22:57

241120-2xn6hazlfp 10

Analysis

max time kernel
72s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

10^/10

discovery evasion trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	dControl.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1"	dControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	dControl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dControl.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2476-21-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2408-43-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2108-94-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2108-95-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2108-150-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1496-151-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2108-153-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	dControl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	dControl.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2476-21-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2408-43-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2108-44-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2108-94-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2108-95-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1496-129-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2108-150-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1496-151-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2108-153-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20241120225759.cab	makecab.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dControl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2476	dControl.exe
2476	dControl.exe
2476	dControl.exe
2408	dControl.exe
2408	dControl.exe
2408	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
1496	dControl.exe
1496	dControl.exe
1496	dControl.exe
1820	chrome.exe
1820	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	dControl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2476	dControl.exe
Token: SeIncreaseQuotaPrivilege	2476	dControl.exe
Token: 0	2476	dControl.exe
Token: SeDebugPrivilege	2408	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2408	dControl.exe
Token: SeIncreaseQuotaPrivilege	2408	dControl.exe
Token: SeDebugPrivilege	2108	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	2108	dControl.exe
Token: SeIncreaseQuotaPrivilege	2108	dControl.exe
Token: 0	2108	dControl.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe
Token: SeShutdownPrivilege	1820	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
1612	SndVol.exe
1612	SndVol.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
2108	dControl.exe
1612	SndVol.exe
1612	SndVol.exe
1612	SndVol.exe
1612	SndVol.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1496	2108	dControl.exe	39
PID 2108 wrote to memory of 1496	2108	dControl.exe	39
PID 2108 wrote to memory of 1496	2108	dControl.exe	39
PID 2108 wrote to memory of 1496	2108	dControl.exe	39
PID 2980 wrote to memory of 2752	2980	explorer.exe	41
PID 2980 wrote to memory of 2752	2980	explorer.exe	41
PID 2980 wrote to memory of 2752	2980	explorer.exe	41
PID 1820 wrote to memory of 2432	1820	chrome.exe	44
PID 1820 wrote to memory of 2432	1820	chrome.exe	44
PID 1820 wrote to memory of 2432	1820	chrome.exe	44
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 2988	1820	chrome.exe	46
PID 1820 wrote to memory of 348	1820	chrome.exe	47
PID 1820 wrote to memory of 348	1820	chrome.exe	47
PID 1820 wrote to memory of 348	1820	chrome.exe	47
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48
PID 1820 wrote to memory of 1816	1820	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Modifies security service
    - Windows security modification
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |1208|
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1496

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241120225759.log C:\Windows\Logs\CBS\CbsPersist_20241120225759.cab
1⤵
- Drops file in Windows directory
PID:2024

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2868

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2752

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45614236 22625
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef60e9758,0x7fef60e9768,0x7fef60e9778
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:1
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:2
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1356 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:8
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1384,i,17472845050816948430,13868553167430704086,131072 /prefetch:8
  2⤵
  PID:2896

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4f126a12-5fd3-4df7-9e09-8e8fdd66027d.tmp

Filesize
349KB

MD5
c39d1ee543279051c7108651c42466d7

SHA1
3869c56efab47ea64d244e9921b616825c8b16e2

SHA256
588cbd5d70790c19cd567939cec57c47e24766adba2189787666ca243b2f2be4

SHA512
2a21ee9982f92f5a08e4835f2f1cc2b9b889457916513f5645847d05b2d55655754585bf73975c0b39a6698c3f316d5eda668d16c9bd28ce3f0cb46136c4c659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5295391d5f42973e9b3c166184f52a4f

SHA1
5d867747c7092a19352489d24d0bc641d3d816c6

SHA256
ab9406b85803c4aea11b99a088f1ed05ad26938a11015b4d640e22ed61167cf3

SHA512
b7e234d450040289100437609cc1d2cf247ad81419c94122243edf00355a7ce37c20b5c2ec49a3574313bc6e2ff8e08ab7e32774f77c5c35d262ee85ddefe4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a060d9f71fcb593758fa18c21a90e6c9

SHA1
4cb7ecb0b613ff0146bc027dfddfd993596d7ab0

SHA256
5f56304660a337500a9f0e3ea56ac948f13c113cd3edaf2ac2fd901a05144a29

SHA512
b14f8afa223004de595cf4c166f6c1b69be31bf22d55130ad8de105351bdebf8a69b1e956002342f161c1bf95ebb51d3f27c73552f47937ee9dcbbd491df7e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
376KB

MD5
1521043a6c34bbfe16332409ba961348

SHA1
b59cf9decff56c61da4435f91ce70ce79322854c

SHA256
ae4ba9d71f52ec133b596cf23f9a559ef64fb94e3a7527ac0c875586988a3534

SHA512
72f5e184ee1ffdf27ace620e9cf2b06e5bf461ec05de8795c3d4c10609b9b599b4fada92c91310c22eab0921283fc63246d232611d2550c3a3d35c89731e4c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
13309907f490e9aa3d122730c352a8ed

SHA1
e78fd883a1ae00b5f9e04658aa62f1dde4d4cb41

SHA256
30746905234dbcf29cfa01c54a9fb72dfc2601bac7fc986632d418fb0a6583af

SHA512
e86b2ef73f17d115f781d4c042f5529abaaadba5f00bfc59e3d7c88d0608b8fac77f0b7ff83c22d8687c48952d3c8d170382d694254e3cc7a827ee75792a4032

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
b5f9e665faf428e1f0fd87e2d8849b19

SHA1
cd8c108c1b5825053db54806214c31c278d096e6

SHA256
aae5fbf018fc76a2a230cf1225b062df83b32a3716b0c45a580dd41f7bf5f627

SHA512
a5f69304f560bac4b42457ffe94e86d2778aa2c43a34b48fc7ef458ee4bbedf45840def438bce65a8820496a740af70ccffc886f0962b25805b55a743677608a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\2b4c0g8c.tmp

Filesize
37KB

MD5
f156a4a8ffd8c440348d52ef8498231c

SHA1
4d2f5e731a0cc9155220b560eb6560f24b623032

SHA256
7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

SHA512
48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

Download Submit
C:\Windows\Temp\2b4c0g8c.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\autEAEB.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autEAEC.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autEAFD.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/1496-151-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1496-129-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2108-150-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2108-153-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2108-95-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2108-94-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2108-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2408-43-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2476-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2476-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download