hxxps://tokendefaults[.]com/

Analysis

max time kernel
123s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2023 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tokendefaults.com/

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133365510513333892"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: 33	2732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2732	AUDIODG.EXE
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2720	2656	chrome.exe	80
PID 2656 wrote to memory of 2720	2656	chrome.exe	80
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 3100	2656	chrome.exe	82
PID 2656 wrote to memory of 496	2656	chrome.exe	86
PID 2656 wrote to memory of 496	2656	chrome.exe	86
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83
PID 2656 wrote to memory of 3644	2656	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tokendefaults.com/
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe38159758,0x7ffe38159768,0x7ffe38159778
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:2
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:8
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4816 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3968 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5404 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5528 --field-trial-handle=1880,i,5325458076773092526,16785801793202388807,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
58cc4b770cb922b041e829244205bf26

SHA1
b10add4ba0db19aa083594f56ceb9d1010a191e1

SHA256
8a5826a3cd91a41219abef9b3e1e34c8549eb5ae69b5d79a78b6fe8c0a3acae0

SHA512
97b2c9e1eeca651ca3a4f794da62e6f3cf1bc0a761ae6ea74a47070ef47d1fa1b6004d32146671f48634abefe210b9ddac511aeaf32cb14e14299246218a013e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1cc0dfab1a644bc051fc2f844405c17a

SHA1
349580de664147e47e9c045bdbd8a3689a4a81da

SHA256
71ce9a6ace0ab420fee1a4605dda04c7c5751800c420048ed60894ab3541d563

SHA512
40ebc85d0532ca1263b7df2e45975ba91064d483b14642af8307f8b76d9e2df9d59781513d625fc6d4b2b4273f96763e81a547e7c2eb55abbfdf2ad333ee367d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
895384730cd2fd4ad86c744ec156291f

SHA1
a0a30da0e4e458f4d568e9b0cd1ccb2d273f1db1

SHA256
01e39de834665190fe4e4136c86b16755a06d5af52e05e5773e80bb7de2cf1bf

SHA512
76eca7d7574d1e3628f81dafdf84904b7b60bf690140bf89e11071565513971b5e9c2c0bc53dfab5200676830125ad385dc4dc9202d9ef8a87cc25d39cf522df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
f45e669566ddacd8e5eee74a016c3c53

SHA1
676c91b7364d642876e0334a4a52b2e399a4bc99

SHA256
fd2183c0ee7894d977a1a872326b4bbc735db288ec9581948e1947e20d9e2a96

SHA512
6a764d68797d014c0daee41423606f3b50e62ed7c9988e7518b8b24f951998e8d079dfb1f9161c19c88c5105047d4ceb546d33ad9ef668fe5143ba5fbaf8b794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
88af7c97ebae4ecde4bac05fb8180e17

SHA1
27f18c23297e1c25468b20e3b6806750f0da29f8

SHA256
2ee0b77c6e7882ed8d348d343dc5f22dbe5677b49f71b47ee659f78649a43dbf

SHA512
6cbdb217576569aa656b536ad5c59bfe49eb08664d21dba7b0d2ded29b4118e5f17425d82cbfeb41149be2fc810e1e41bfc52326939651e467233a7ff6909240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
f25231068f77a22a5d70e058088d10f4

SHA1
80eaf53a526ed87d19b012db133804ef4ff339ae

SHA256
254a15343b07218f53025efe9cea197921d8fe79c6ae7973e3772c60d5830bae

SHA512
a168ae18f9519374c8574c6c55dd1b746258e1f468a19d6c843b4dd5193a909430434ba186324cc1e0107b01e4f275d2569a8823f71fc4eef6da8d530170d8b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit