hxxps://github[.]com/UnamSanctam/SilentCryptoMiner

Analysis

max time kernel
900s
max time network
1603s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
27-07-2023 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/UnamSanctam/SilentCryptoMiner

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
716	516	WerFault.exe	89

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133349260994451389"	chrome.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
516	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5016	chrome.exe
5016	chrome.exe
3304	mspaint.exe
3304	mspaint.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe
516	PaintStudio.View.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3304	mspaint.exe
516	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 996	5092	chrome.exe	69
PID 5092 wrote to memory of 996	5092	chrome.exe	69
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 352	5092	chrome.exe	72
PID 5092 wrote to memory of 2520	5092	chrome.exe	71
PID 5092 wrote to memory of 2520	5092	chrome.exe	71
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73
PID 5092 wrote to memory of 2944	5092	chrome.exe	73

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/UnamSanctam/SilentCryptoMiner
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff987b9758,0x7fff987b9768,0x7fff987b9778
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:2
  2⤵
  PID:352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5208 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3772 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5796 --field-trial-handle=1692,i,3866500865620285333,13780928869399588406,131072 /prefetch:1
  2⤵
  PID:4424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2524

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\SilentCryptoMiner-master\SilentCryptoMiner-master\SilentCryptoMiner.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3304

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:516
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 516 -s 3828
  2⤵
  - Program crash
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1257f6b7da7b6f469b5703e7d287e80d

SHA1
5e55ef492ba08d6b0288109c45f2475e8840b14f

SHA256
694cbadab9c07bbd5d9a8ca48fb7759efca4aa944d563b26485b61f8b90ee637

SHA512
312e1bd67676a5f061ea863c76a46d659071571e23f2e68e3fcf46e75e2de0058f2cde9b90edffd38e940c99c2dae4f47649d9f04ddabc5adbeaf05cb4749c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
156a78884df2ca023e862c9ba49f8bd2

SHA1
80fbbb8a48520a8c66c1b0e45a21156391c55b30

SHA256
441e52bbde055688fc014758eeff7d61793cd361715433f1dc26f441b3b1fb7c

SHA512
464ed00c15a2c0b992feb017c2e72f22efa1ce3e7bcb7974ea1d38dc676b6e80b8509dc779af762455bdb6e7787b172f0bcdf05a4a49f9345fbdadd71c964141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
fbc28710a93d6caf116de0812947c29f

SHA1
f7a68ee048519ae130b891e34e137e17fe6323b5

SHA256
8a63590836de806d2c0f42455a5515f4b577b1421416c130c039fae46222031b

SHA512
27da1c3d8a3ec0f459cc372cdebdbfd4128399f35cdd5d8cdcc9eeca832516baa329f1f511522fb66589d8f6717a98bc880498952dcf41f1c7974c5f36c038ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
5355c625c41f6835ed88d49e94058f6a

SHA1
0d847ccb4da0166aefabf05895624d6032ce56d2

SHA256
3cb133391da2e77589926a0df2e34232db0f4e5084bdee9a88c7dc2744479c11

SHA512
71351ea839ff6224d4eaf866374df872d50bd5508fcb18e8c4e3a1dc534d907b24d544a123c170dc227be6e9b93f9737f4828a02fd9674a3dc093930cc7fd451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c9aedb87277c840104f286c4dc85c349

SHA1
c4b8a8b6a44e50c59a0dc30c51c09a8c56bc3b43

SHA256
43b5a494d44db0c9ad3aed40db96b3b5abbf4bc144695eb8422652c1ad12370c

SHA512
a7ca79e1d0ed4be521318e241cc94439dd27e3fb23b24f124fc06488fbec3016cd299f82850273f5a32d6472570139ae4ae340a621cc55655236b10b56f5d29c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b0dd82f6d74a2dda9b49dc91fc2bdc20

SHA1
cb9dea9dfff91aa3e75bbdb225d74f1718c1fbd7

SHA256
45c6bf3d4c792bdbe782efc17bedabb786816794bea9fd68f72e48d79aba147e

SHA512
e9bb7e258928f2bf6299615fa804aac6210ce808f6e99ff186eac2c97ad172f1b5f1aad321f4dd00bf3ab573b9ae2a84ce11a1797759bb10bea0e30e8389f348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
8095df68dcf6523bca118c4d8a09cba4

SHA1
e74db821e9f7cb5b38fd228c2a8f72e22c171fd2

SHA256
be46dded0dc6db8a0a415850da3cc4a7cf8b09df22aba2ca33cfdbb147cfe9be

SHA512
6e4954003e8fcec390103a839d0323d0872c7914aaae20d6e41a90464cc09594d91f5e56ba57112a48b34d678ed61576d3107be8315bea57eacafef649e6eb25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
63e234de549456d1e1780246395faa12

SHA1
1bbb0912eb0986dc4cc516cc2ab9c05fa6d0855a

SHA256
435510b9fdab3354a5c763f093ebbb40986bf91377b8d09c1cff8ea40f9c8f4b

SHA512
e6f604c5cda9820209274296ab04eb408cc0cbe2c1698fee77bac5cfcf10ad0071d7e80371d2925b2e8debcfd65ef60360c74d043d8f3c658705c26244b3a676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6e171b574998f7851d97ecb9f46c9799

SHA1
551ac42f2b41f57866c46303456bcc246314d1c5

SHA256
216ce57eae8e54afccd1694b207f3394d0ea88b7ace11dd93ab96d5e384fc79f

SHA512
8bf8de262bdb6fb575fa1c28dcd39f47fad9c6e88bde482b4c9b4d8f5dbfbb61798b8f49bfb29cfde76f59ff7b6923dcf91f45f8c2171f54d573a5e49dbb4e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c52704937415dd43405498e34f491967

SHA1
3f74a89fe96f552644fcfbd795b39006434424e4

SHA256
081fe792dce89f5fa33411707469a912c701759abb1a98a6ccc580a2ac8165ac

SHA512
42eee60041ce9e311658035336072821679584b2418d920cbe96fed0764fc103b80db48141f17697c585035083f4455357945bb5c3068467bce60e4a0d78601e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed51068480b390c93477ca16c73ac657

SHA1
b74fb4392544c4121cc94ed2deceaeece5455eb5

SHA256
99faeb8ddd3b21092532efe3d8a7b498e1eaed598fbe549cd1e51752a984d55b

SHA512
1d438012e59a482ba3fa188a0c92af5e20e44b2943a3b17c02238ecffb3fcef99a68e620a71889beefb420992dd5ccb75904bf14d404d5ca25a6e7a3c1592117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
68b935ab63dcfd529683695a85a56097

SHA1
f4481ead50ac14d3596d8e816acc26e5e8246b3b

SHA256
8806d508296a15b371adf0c15955e3931ff8dddf4c6804782e5788c36726f399

SHA512
f3083603772abfcff44ac29b2588c81f2101599ef5b0673c21010864a17c027e2a0ccc17b8a4a78f7143b593ac137fe822977ffce64eb0445497dc659f17bffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5f5cedf04393c9fd4e3c0f3da4aed526

SHA1
713705434466837ad675321aaf89bbc5c7ee87ea

SHA256
4d7b4f3685f94cd6a479bff0f598c30f7a5a71e1cebba6d1e95d749c56d96457

SHA512
93c65e9af464e4eaba2f2f4cbf13e3cc9a374b09678655a4433ec5c0d408e0eb84398bddf6a69797388d198ad8f4a4ca2799fa1d4451e5a30ae5cd866190f462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0a852d8f9e6a8d4f9d5bff44292bd30e

SHA1
69cf0b2a3283661149dfc1c1646df7e21e207602

SHA256
873f42924746858e359e30e32d03daa4786e718410d2e7007924b589e499193d

SHA512
61d99a75cff64b5273c71d533d6f80d08ddad4a6595d9ead529176386b8123d17bc7eed4e9836a96adb6f2cd7996108c99612a5e9e8bfab904e9bf1f7b8d70f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
497df429ff146caa619c0e611a608f7a

SHA1
091c907121d5507ee26018e109da1778543921b4

SHA256
559f8003f1906bb1a506beb9fa269f772432c68eaf14691d6ebf53d03df60a93

SHA512
4022ecbea2731e961c02399473f4e84fc4ab7653d9326935fbffbb2b14893900ddbc6cc7391aefae71c1e93324abf33d10565033ad9c55f00269d6d96f7409f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
69fad57a70a4858e798881fe58292f24

SHA1
e9af74fe2f81133558ed6cbfdf8b43199ea886d8

SHA256
58497bfd02ea8606dd62fcf6c985cd3cf37b9b2d937994744e977497d643d023

SHA512
1378250d30b0ba6a72d1e7e8f694878d864f7214e45a79fde6fd01422f238078f2d79d64d442c21666cb1e8d8523ed218c0c4b414a26ac82ecebe96259af1854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
ea1fc16ddfc2dc80fc8fc989e344ede8

SHA1
9f0a3f64705410926d56cee05ec86db669b65968

SHA256
7303a7a6971b21fd1b5dddae3fa95353b527c35ab284862878e3fd2a0a8b0364

SHA512
997d05421ebae9912c3d7f1deb0fe9f12f479c4161d6b6d4204f4544ba7b06bda654688887d81b2bf6b95c49bbd2ca62bac27ea950a89ec2ae6afb2da28fe47c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
a4f5d2c9fa5c2562cc26ade87b21244f

SHA1
f6cef7cea858f10e6a64810261b3b75163e6aace

SHA256
194b93f6d7de169ae0ea1349f2069d6ba72626a90fa5ae02136b551240e8d423

SHA512
b2e93f88d61865707dd7da7dd9ba8a3114d842c1b6837afffbdf9aa77e26c9debe23e65b30489a9a324308d6b80feb6dfa41fc2aee9072e419c5961a65945528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589bce.TMP

Filesize
100KB

MD5
0c8f5a62261d7a04ee6519c485556f56

SHA1
7f9136bebc5c8cb6db3762620134fbc359428d8b

SHA256
0b8ddf04950b6aeeda96f920c94edf1d7a0d04ecf61c77b1002cd4af2218bcb2

SHA512
a84b9441d8be7d9e76ba31feff1172e3e14fc9a32d1e906ba114beaa056b78cb03766ee8b0fe4799343adefd88f468ae7d73cd70298001c18ba5c5f25675dd75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
245B

MD5
2079d9e714363f0431b7be1e21357eb2

SHA1
70d6e027556a3a3f73b53cf199eed0c2aaf2b0a1

SHA256
04f99ec33580b189f1fd82fc387dfe088ebb54f0e8bdd430fb36a0e4637e53b7

SHA512
d1162393072b0d8d68d07839ea17fb63a082fceb548e8c06706330a1cb475b986139a3e41fdb71cc328478fb9fb5b971c9075cbfc01d7185e687e93d11cf2def

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit