220c302d83b5894b124e942e338543f29808d4536f76fa4606e6ee637e1b7371

Analysis

max time kernel
149s
max time network
143s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTool-Discord-AIO/MTool.py
Size

7KB
MD5

9b0db79cb1018cccfee6a961862c225e
SHA1

88bdfa52d499e0f51192e08ce66512115e5e7c8a
SHA256

819dc416a6391564b733f1566801f87681481b0247025a6857bb69f1a9dea6f2
SHA512

5cb703f866c6673e4fb14b92978f0ad712a7820fe7b0da26d5dc02747c08b634ceb11cdbc05203b8560a1eb2d6c17eca2434dc5242c07f94bff542dc8fb4cf9e
SSDEEP

96:vpn7TuDuVDq1jrvgf6ZKDXDUvHmnmtJpLTHluMEiyl0a:vl7KODoYfvDXDMtJxb4ie

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674342272969657"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1252	chrome.exe
1252	chrome.exe
4668	chrome.exe
4668	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
168	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe
168	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 168 wrote to memory of 4468	168	OpenWith.exe	77
PID 168 wrote to memory of 4468	168	OpenWith.exe	77
PID 1252 wrote to memory of 1552	1252	chrome.exe	80
PID 1252 wrote to memory of 1552	1252	chrome.exe	80
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 5028	1252	chrome.exe	82
PID 1252 wrote to memory of 3008	1252	chrome.exe	83
PID 1252 wrote to memory of 3008	1252	chrome.exe	83
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84
PID 1252 wrote to memory of 4488	1252	chrome.exe	84

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MTool-Discord-AIO\MTool.py
1⤵
- Modifies registry class
PID:2428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:168
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MTool-Discord-AIO\MTool.py
  2⤵
  PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff81c079758,0x7ff81c079768,0x7ff81c079778
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1860 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4056 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5068 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4208 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4632 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5228 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3928 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5100 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5380 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1844,i,14847654457538895782,6548518094485416660,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
fe1542e2f4a90ed3f19b3a56be3ce5e2

SHA1
1a9554e42de12a5fea36cd413c95a1b7c2271de2

SHA256
95198e81c391c3bb6b8b18b757d027db5b3d6a58dcf809b8bf20af71c8fb5539

SHA512
4ad9c6b6d4c2d0244dff09622fade24ba021ad5021945e528e63bc0112e27f252a9058e2aa2ff22e3d2ed21c5e11cdf67cf188da3ed4f0361b49066513c8c80a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
0b28331205332ac0002ad25638c97595

SHA1
597366820fcd09ad65512a9e5c916a6cc7ee13c7

SHA256
43970e4e534005069a2216f62df7ba3590cbdbcaa77e559a565866df2f04d0da

SHA512
835e7830a5a1670a7ce7b3ef497fbfeceb7b359e63d83099836380e23667e0365d1235f175edf25f70df3a125d4d8fec298aa0958f0a3e53c00b7abb6ab14204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d94c547d881f117ee625a79cc00a8f7b

SHA1
a9be6e244c7a62bd3bb5a7ae8657b5ef863d583f

SHA256
7100fef37a3d959cb07cdf44ff3614cf7da0765af8aa4e6d48cec8ecd02dd45c

SHA512
bf05939fd2f61326da1a731e6c4329c51015ed3e56ec12a47e1b8fd65e79b487ca73ff540666d793a79b7e29b4c3db364e4588f064a754362dd06080d34f01fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
f173978aa3e6207d425824b6cdcbb0b4

SHA1
7c5489d40f5da194067046dd7c2582caf4abcf3f

SHA256
e47165637b2cc7c530ab40b7d08359e7fc31d9b0923f0b6dee381c75094d098a

SHA512
287256485e9b2bb87e783a36e33cbc55def2d57fd2c8fc4d5550f62425f5e5ddedebedac1b2556670ec049f390cdd199a1407d19d8d204eed38620919e02ec64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
bf4408a88df64e6e6564ed751c98a3b6

SHA1
0389f21c050d636527347c96d9dbffb9c9caa163

SHA256
1e84019ecf3230069c2ed33252cfd0d3bd80067d955e19e6e98c6c45098ca64e

SHA512
e83967320a7b4db1f89369059a2aeb41409b518c8912a8ae743c5a91cec9a5be655cfdc61c4d2b69dbab88752ab19e0bbb098dd2bb3b471ca9874d80f2a973a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f7398eeb8c3952c9ad70fff40ac0fabf

SHA1
164e0ee3924ff8ff5c7f934bf6203b13f85d4aa2

SHA256
8718080f0f035a1e3c163d40c990be962260499a5a93e048199d8d4f92eada29

SHA512
69e076ffa3327fcd58f5e30f6347488590cf4ed33fd814caf609e6b78d11a74b1a047192d949f6a3bead1d24860df8720c5e63078da77e791a83e322820f1891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1383a0de04afbd886f80c8cb9aa8c6a4

SHA1
09bc22d1afab6430d9815019e04f1d3c8b588238

SHA256
f478a6c32b1b7d7594b00302682ee421eae326e94381846109c592bfb8dfc05a

SHA512
81086784496412fc3908594a223b01233e5588a25e864ee37b60b151dc5ca2ae7f3fa744a62ebc5fc171a6d432bbaed3e830ff314b65a7cc675d5f312633dfcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
885a9ba0cf61356e9adfb07b5d64953e

SHA1
9f3d585c56d596538f8d07a5c872b9f5336daf19

SHA256
85fbff3f35b53c8d5b4a1a974bf5f2b7f7b7f68f20609b042e214b260956cc80

SHA512
3ed4607dfaece7566cfb79503a90da904dd5b21a849706c2d454583a5798309acd6501b1cd62b05811e54fd4d491c2df9c1246ac066542edd8b4cbef8f3b99df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
890759b9aca500612e7087ea5552959b

SHA1
6ac7f24ff536d3a26e958ea7aca7cd49adcb2f3b

SHA256
73de09b86f79903cd261838b5b7f609cb641227f6e9f6e7c0d41dac66a9ed546

SHA512
06bf2e947c08ae85e446ad7b2d12f6faeea72587e915d4dea70d469b6619ea25ae4d146578469a3dce655758bc3fd722b1fa107ce0c20a234510d3311398c656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
291KB

MD5
6487090bd918a24b181a0f5f7729d263

SHA1
fd6d27b9bcd70d066c92321c52497a1afdd7f936

SHA256
ec7ea403059e0b2e28ae8e555878268a73c34341935df78425cd9f77d78c8aee

SHA512
2f9eb438849117b972177d61f469fcb4880f20358b6486e4665193ffeda9fa5c3b680d1e1e02e3bcab41599c3d70beba1c4412deab4bd70c57bce80b7b146011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit