1fc4dc449959381784dd2500ea76de0139e40b8aca1d92e6b5d22fb6f927636c

Analysis

max time kernel
84s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discord_token_grabber.pyc
Size

17KB
MD5

db40ce247b464d3ac0d15080f22ce442
SHA1

eb10f081e16c9566f1b487d39eda3fb8fa4b0de5
SHA256

74475975b9fc2e15a1432b8e4930b6a8a25dd63511bbc2628ae81483dd569046
SHA512

c614c93d3ad758bfe1155864328626b98900e95e06c504641f0286ee40e4e0e24eb4d83b06af576e7799d517aae8404f5c9acdc64315c594319c29e13a77b81e
SSDEEP

384:cGllyAavwW9FaOx817PPQviowoYbCj+MoGWTd0Da8:cIlytvN9oOx8JnQ6owoYOyMImDa8

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	whatismyipaddress.com
45	whatismyipaddress.com
43	whatismyipaddress.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings	solitaire.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	chrome.exe
904	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	solitaire.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe
Token: SeShutdownPrivilege	904	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1604	AcroRd32.exe
1604	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2744	2256	cmd.exe	29
PID 2256 wrote to memory of 2744	2256	cmd.exe	29
PID 2256 wrote to memory of 2744	2256	cmd.exe	29
PID 2744 wrote to memory of 1604	2744	rundll32.exe	30
PID 2744 wrote to memory of 1604	2744	rundll32.exe	30
PID 2744 wrote to memory of 1604	2744	rundll32.exe	30
PID 2744 wrote to memory of 1604	2744	rundll32.exe	30
PID 904 wrote to memory of 2200	904	chrome.exe	36
PID 904 wrote to memory of 2200	904	chrome.exe	36
PID 904 wrote to memory of 2200	904	chrome.exe	36
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 400	904	chrome.exe	38
PID 904 wrote to memory of 1108	904	chrome.exe	39
PID 904 wrote to memory of 1108	904	chrome.exe	39
PID 904 wrote to memory of 1108	904	chrome.exe	39
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40
PID 904 wrote to memory of 1068	904	chrome.exe	40

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1604

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c29758,0x7fef6c29768,0x7fef6c29778
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:2
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1112 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:2
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1480 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1416 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3452 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3272 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3680 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3900 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3868 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1704 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1456 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4216 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4056 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2316 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3848 --field-trial-handle=1252,i,10909109529590071651,50459349889054555,131072 /prefetch:8
  2⤵
  PID:2204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
d614bb686c59ac37a28619ed508640cc

SHA1
8df964faee92cd3570d7caf3366dcdaa955ac8c3

SHA256
fa3d36f3e526ab8de6539b426b84106ba7c5da8b4c2c4c0b768516e61a2d740f

SHA512
ce333cf3672857651a88ef5093ad1419011365f6462d2dd475880314bd70fa24b3417f7faeb1cf0e4a032ec8142453117b1222de485c367fd13f15a00e1b9fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91bc518234b67c3048f9a988197e6ed7

SHA1
ecba0dc54d18d04f66f58197b42700025b22bc70

SHA256
0d0934327478104d1a1dfdbdf29471f522364386e8d87d77da506752dd5db275

SHA512
d0418dffc6497a2cde55835b3a86f6c54283564ca9cddb4858fcc549f311677aa8ff938441d53a74903eadb1a102c9df328288679a063cc972472941da30224a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b03b44830215782a2e078ba4ac6da22

SHA1
b4735e94895286669c47b5ac8c07059d1b939453

SHA256
a8fde4b10e41e34e1601c1f7e44f44cb185688b464740e9c509b08e3fc3783e6

SHA512
b234968a41167ba8fcb617912fbb0606831dd5e323451ffff0440fc77f06f546f0a533a41aed93b69a9376c1c4d7168879d99edbc9557b2f9daa721d65a1062f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f9a868353760942d44d88e88119f077

SHA1
f26a50fb5460bd1ac3476fab6a696c961b1b684e

SHA256
b4f63ae74378882f3602ca225d9d83da9b33c7f97e5e364a01e1085b7e56e30a

SHA512
4368c8d7e04e68a9b6e587cfbd506d4632d38bd4ebfcbc92e3c4c82a52a5f8367a57166d1f0460725f93ef6a2e96eddba592893e39fc5624672bf41cd9fb0d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6be1171899f39b8f8a3483ad84ba106

SHA1
cef2eaf6276d5d2e64726b7afdeccd1d250f8c17

SHA256
4990a9205fed22a7dd802c1d7de729d3cbea75ec641096c8387a1f5350ec519b

SHA512
44eb12b9cc641b1c60faa44fd85be30913259c73f493155c9fcf06a850307fe25ef795c7121dc76af5941177fdf6858de68851a5ede67722bc26cfecd68f3d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97ed31075fca37c7756f094417a4e826

SHA1
af9adf8c4dabb26eff9aaec6225580531a1d0f66

SHA256
b3488d0c4c8cdfeaa11d0c3ca7b421455f69c561f89d59882052a01458cc8fbd

SHA512
4012fcb4de36cc41c08d5f92e074e036e90cfe66da40db50eb643217a2bd881221c775a7dbfc71cfe5a4c781dfed6588ad20f197f66fa5f123060a604b40dd41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6616d6a07dc506d38da8ec4a407c2457

SHA1
944bdfe98570fe8b9465301bb93f5776b9e25367

SHA256
267413d975f48d80323330e32d3860ee137012d796ed602f6af0a59959c98371

SHA512
690ab5198b7ebb62b59325828a71a36486aeb4d23116f561782e299e9368d25cc1de74a8ba3ead6432211a834ece3e7f4018a4f97dc79d92e567741d7c19b485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_whatismyipaddress.com_0.indexeddb.leveldb\CURRENT~RFf783534.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
158a2be02fd43d81e793c1dd073a7619

SHA1
24726c998bd2a1e12c38003d819c8eaab2ba3ccd

SHA256
3c31e929309cab836e27fa1ee748a450660d9cced88e366ad3df040319295f04

SHA512
0e4d707602f4624b8dbd4408e9d2e40a75d705317a1166c1e4cb2ca13b14859805b6313d0033f9e0ac5ecf82e5c6ee9067177f5215a25681ee6f25cabc599ee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
c0c4e37961132e55e0e615893d65f9eb

SHA1
91dd7ee8e0441f674fa2b952d091f118abafa50f

SHA256
bd0bbeae56817ab4fcdfa384e29d37ec059fedecffc9a10479b5717c73814c0f

SHA512
19400357ca8ae2b7e22e3f91e39f7afadcfc283a34fb93fa75d5a94df21cf40bfd43bb2aab3063222b40f120450177010e6ad0f6829f037cf72277873cb4f373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
95c7ce1cd6569de2c0acc8a6add43793

SHA1
5f27f921de7ce68055eae4be3fb7474e7648488a

SHA256
b8d0e064715a75b8bdebe0e44baadae888d7a0fb7b2bd425ee6f2549fd5b215a

SHA512
230984cad03eb381743d20982d4b1b784053f4c83f871a0e756aa640e471fba2f24fc469b46d79d46e935b58e2658870a3cf970ce3019b4a86cf4933a9ebecf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ab5d9b218d2332aebeb86c9cacbe9048

SHA1
6a453763b81ebb2b277e160af5c44a4d7982ec54

SHA256
2647aa72ada7876126260a32e35829a28cbfb0c455838651d1b3ba75ddbefced

SHA512
b7bf83b5e0e93e1d4499f5f967206632823a03807698659ed3268b72ed16983a5e30319a82519c8a32657fb2667c1dfffe28831b81b01f24dc7de060aac3700c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
315ab288cb1390aa5b64f30c328a90f9

SHA1
b719805150dd90816d6a6b9ce43556f472d7bbd3

SHA256
f8718c7f6cfcdea6038ebafcc8bebef43026595a68cba6cdac5d9ec3802efd9a

SHA512
5726439b38b1f73d924846435780ad907c39a729309351510c3c48bd9b2b0acd8646ac3a0f97136850cd66ac8be3dfdba2783348a5a3744122a2202a86b2730c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
224KB

MD5
98829e8bda0f9767af6895e342ad7076

SHA1
aa9f18f5d1d5264217bdeb6b949771cc5915502d

SHA256
84089623571be765f32c5408758fb74fddfcbfc144c3e3d2dd23630ff123d505

SHA512
21e1c3d128622546fb5a3782f38d2567614cf59ddd119a0139a6db5c56ace9a52ae9e130fd4de68737a54e5d3418217c063f2bdf65fe29fc8166fc0e2915b5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE5FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE620.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5f1b06b3492ea4b54360cf7c008b8c73

SHA1
58b5897c44dc8a5b3550e21d3d8efb1f34e15c53

SHA256
365a1924bd256fa5338bb38450913e68cadadbc3c0aab967e587a6f07a4a4013

SHA512
34369e5b6accb66bc2b80ac29038503e0699b00dfcdb83cd7e23f655d345e9093bfe56c0bf4585c55ff133dd1720d3ee83c38b6a9226c1dfc9e1b34a4a0adb45

Download Submit
memory/1656-50-0x000007FEF60D0000-0x000007FEF6201000-memory.dmp

Filesize
1.2MB

Download
memory/1656-44-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/1656-45-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/1656-46-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/1656-43-0x0000000001B80000-0x0000000001B8A000-memory.dmp

Filesize
40KB

Download
memory/1656-42-0x0000000001B80000-0x0000000001B8A000-memory.dmp

Filesize
40KB

Download
memory/1656-41-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1656-55-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1656-52-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/1656-59-0x000007FEF60D0000-0x000007FEF6201000-memory.dmp

Filesize
1.2MB

Download
memory/1656-58-0x0000000001CC0000-0x0000000001CCA000-memory.dmp

Filesize
40KB

Download
memory/1656-57-0x0000000001B80000-0x0000000001B8A000-memory.dmp

Filesize
40KB

Download
memory/1656-56-0x0000000001B80000-0x0000000001B8A000-memory.dmp

Filesize
40KB

Download