socelars | a2a3f8907ff936adb1a66d8e83c64e0949ac0c0777d5c76856bb528b6a2e41bf

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6906872ca28ab6d56c8339b95d663696.exe
Size

1.4MB
MD5

6906872ca28ab6d56c8339b95d663696
SHA1

119c496ce63af7eb1e37a5d4cdffded1ce80bcb9
SHA256

a2a3f8907ff936adb1a66d8e83c64e0949ac0c0777d5c76856bb528b6a2e41bf
SHA512

bc2adbc4e86156948bdb6c97425776a2134ea2da05f743b43d84952f2b93060a93e9070fa3868469b8c7e4add4be0dfcaa7cceba025d4c3bf059b4285193a4ad
SSDEEP

24576:cxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3GZ1AY:spy+VDa8rtPvX3GZyY

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	6906872ca28ab6d56c8339b95d663696.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1052	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133474976731295533"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6906872ca28ab6d56c8339b95d663696.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6906872ca28ab6d56c8339b95d663696.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6906872ca28ab6d56c8339b95d663696.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	6906872ca28ab6d56c8339b95d663696.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	6906872ca28ab6d56c8339b95d663696.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeAssignPrimaryTokenPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeLockMemoryPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeIncreaseQuotaPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeMachineAccountPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeTcbPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeSecurityPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeTakeOwnershipPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeLoadDriverPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeSystemProfilePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeSystemtimePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeProfSingleProcessPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeIncBasePriorityPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeCreatePagefilePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeCreatePermanentPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeBackupPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeRestorePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeShutdownPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeDebugPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeAuditPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeSystemEnvironmentPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeChangeNotifyPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeRemoteShutdownPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeUndockPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeSyncAgentPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeEnableDelegationPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeManageVolumePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeImpersonatePrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeCreateGlobalPrivilege	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: 31	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: 32	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: 33	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: 34	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: 35	2944	6906872ca28ab6d56c8339b95d663696.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3884	2944	6906872ca28ab6d56c8339b95d663696.exe	91
PID 2944 wrote to memory of 3884	2944	6906872ca28ab6d56c8339b95d663696.exe	91
PID 2944 wrote to memory of 3884	2944	6906872ca28ab6d56c8339b95d663696.exe	91
PID 3884 wrote to memory of 1052	3884	cmd.exe	93
PID 3884 wrote to memory of 1052	3884	cmd.exe	93
PID 3884 wrote to memory of 1052	3884	cmd.exe	93
PID 2944 wrote to memory of 4868	2944	6906872ca28ab6d56c8339b95d663696.exe	95
PID 2944 wrote to memory of 4868	2944	6906872ca28ab6d56c8339b95d663696.exe	95
PID 4868 wrote to memory of 3060	4868	chrome.exe	96
PID 4868 wrote to memory of 3060	4868	chrome.exe	96
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 2812	4868	chrome.exe	97
PID 4868 wrote to memory of 4920	4868	chrome.exe	98
PID 4868 wrote to memory of 4920	4868	chrome.exe	98
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99
PID 4868 wrote to memory of 4980	4868	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\6906872ca28ab6d56c8339b95d663696.exe
"C:\Users\Admin\AppData\Local\Temp\6906872ca28ab6d56c8339b95d663696.exe"
1⤵
- Drops Chrome extension
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7a7f9758,0x7ffc7a7f9768,0x7ffc7a7f9778
    3⤵
    PID:3060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:2
    3⤵
    PID:2812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:1
    3⤵
    PID:3436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:1
    3⤵
    PID:4372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4792 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:2552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:8
    3⤵
    PID:640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5208 --field-trial-handle=1924,i,5813408074805526012,14715103511995187627,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
77d9ecea7e57afd2f94c5582c00e3b9f

SHA1
96e19b33312de18702bccef051b7ebaa4fa4b6c2

SHA256
abdb8c0b9220c427d2035dff328dfb6e8014bfe33e0451e20a38d6f6ccd61171

SHA512
12f4f81fbee932cc1aa0d7a645d64b0aeefb2155f4d052caa4cc1cdd0bfe6b265cc4a4f442d27fcb339881b2744d5eb809b2aa568bac9d4cab0e1c63add27b77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1939ee95e7fad2d88bb7ad250cfe7a72

SHA1
6d7e3f4fcc532052fec802e8025f6f45f34b8887

SHA256
3d8fd8b754ba9abdd3176cdf4bd3e94a19a74b8f19b7df0f11dd2ccc4462d8ea

SHA512
7c842644ad538e1be656a31deb9dc35a458d84c33f504f6f06105002ef2cad53f939514e88d231bc8c75c5d94217d912d37fdfaca5f3cac578d9ffbc44e0f535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d104a02407f9cc84f088f142a3939da4

SHA1
b06cc775cebc7eaa39f7404e1fa5537558ace196

SHA256
d9b3ee166eb7eae37b031d1ef47504aa6bc3fe99714373858a24d6c338cb5925

SHA512
27c663bdfe05daf4521ed9bbfe4bf8a095286c468a300499a9166c294abe369be7e3d8b85d35228a54e6b0c97d42185eb962ad7f927b3a3ffb10abc4f0c20ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
855516b47f2dc503878dafbce362e79b

SHA1
a99e5c19d9fa05d36f05222201ed5b5a0a62c01d

SHA256
b336c3d26a9b0d2069a7a1c3e3d818c0df0c40982d2877b8e7c79e7f56fc06ed

SHA512
0e785da923667a19713164a8aafe630d8223162551ff2e13f6c8e76ec5938133642448cf809b4288374410ef7324c01da897383cca08620764ad2ed9cc419c92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
af8046dad8114e5def7f4ccb545b5791

SHA1
bac42f42b4ce089d63a38f6c10e435b6f4ca1767

SHA256
d84d7b16ce4a1e8689f3d24aa44452016b19d3608f9ae7caa3eebcc5af814fbd

SHA512
a4c54f0e699008525d9bed8447a10505eac4dedfb98923d4ea31dbe65e92447930cb1fe5180e84cdc825dc9f0b34db45dbe284b3386cb98b2fd321859027f143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
20c459e96e0115f1e5e9fdcb65dceaae

SHA1
8e58d780dc7cf9e2c77758d87508be1150600a9a

SHA256
94cbf56e53666d928b79b9ed7ebc888ed5d37b87593b43bd6d4324d8d9c0aeb6

SHA512
1b2569738b1ce86e223b2bd76c04856f08a3d3959c2bde9611904a8de7addcb84f29de22e4b693f1f42b6249fb6b41afae9dc275bbd501472138d66b77a324e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
226KB

MD5
f6decceac1f88c514f63ef5636d70695

SHA1
76c12f004c17e960945347ef839928eec19ecfd8

SHA256
88facf2ee588d73dff4074e755e6b32b9a89c1c9d7005621e4655ec04ac6a38b

SHA512
8f46c2f60fbc06668552e0fce2eea15d770a8037afb87d956696788c7e1f8c66001afa9d21687dc5ce997cfc82fc709766133abb707682ba38692c62071592ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
226KB

MD5
89828754b658e8fe095c09c77458ecae

SHA1
906a7d4e64ed7823cc85f6388d2784a3895cbe29

SHA256
d3f2673c4daa2c46f9408517f12e5857cc4a1f5b7e081962372c9d3fe31b9728

SHA512
54730f065f705296f83097fb5a733996c662fad80c53930fca14ac2ae301d09e6dcab8f1db00a3160e2201721959b01de70c853029f7b4524a02ed510882f2db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
0ca57a5834b57b2cd4a461d98a0f9f61

SHA1
b60b286765622ad869e4ea52e57452adcbf226ac

SHA256
a4a1d4cdf2523d2a2bfe965092740a6d3ae1cf0fea073dbcb4f88fd07f3cbe2a

SHA512
c2ee3a178a383c79d126f0a0e3e43d745c2d43706892efaa1c8d80f40793718cbb9f93cd9a5829b66a00d00df18b84f67ba1cf2734157f96b7a6c7739ef7d645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
4135636db47b146f669bdef68029b533

SHA1
324bca2998a99d5cc0eb440ee3595d30d158fc5c

SHA256
f785fe5c3d2b97b45ba86563aa48bd60457cd390f1dde64fab5dbf43cfc46c75

SHA512
54a1f7fa9e25dab56a21c6eeb944bd6c33bcb386b31497a715c3782724b1f32aab338592fd592655cbeb91d6815a3199bb0ca43cd5c15bdb09fbe1780442fff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit