socelars | 7dfce4f0b796f94bdfe9b151ef14fdad018c8ed02017bf1e26b087f192c4e364

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4de12108a068accedd0111d9f929bc9.exe
Size

1.5MB
MD5

d4de12108a068accedd0111d9f929bc9
SHA1

853cbcd7765e9fc3d0d778563d11bb41153e94dd
SHA256

7dfce4f0b796f94bdfe9b151ef14fdad018c8ed02017bf1e26b087f192c4e364
SHA512

77dbc40615bc33f12ed26b23584e11b8e8ad66b408980adf973920a325f01803975ee99afec93b19e4cde14361d027226769f6d82e6fe4a6a56708b455de5ebe
SSDEEP

24576:HxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4sZ1Z:Rpy+VDi8rgHfX4sZ/

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	d4de12108a068accedd0111d9f929bc9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
368	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133475837566092830"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	d4de12108a068accedd0111d9f929bc9.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	d4de12108a068accedd0111d9f929bc9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d4de12108a068accedd0111d9f929bc9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d4de12108a068accedd0111d9f929bc9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d4de12108a068accedd0111d9f929bc9.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeAssignPrimaryTokenPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeLockMemoryPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeIncreaseQuotaPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeMachineAccountPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeTcbPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeSecurityPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeTakeOwnershipPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeLoadDriverPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeSystemProfilePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeSystemtimePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeProfSingleProcessPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeIncBasePriorityPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeCreatePagefilePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeCreatePermanentPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeBackupPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeRestorePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeShutdownPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeDebugPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeAuditPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeSystemEnvironmentPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeChangeNotifyPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeRemoteShutdownPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeUndockPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeSyncAgentPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeEnableDelegationPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeManageVolumePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeImpersonatePrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeCreateGlobalPrivilege	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: 31	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: 32	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: 33	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: 34	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: 35	3156	d4de12108a068accedd0111d9f929bc9.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe
Token: SeCreatePagefilePrivilege	4664	chrome.exe
Token: SeShutdownPrivilege	4664	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 1628	3156	d4de12108a068accedd0111d9f929bc9.exe	91
PID 3156 wrote to memory of 1628	3156	d4de12108a068accedd0111d9f929bc9.exe	91
PID 3156 wrote to memory of 1628	3156	d4de12108a068accedd0111d9f929bc9.exe	91
PID 1628 wrote to memory of 368	1628	cmd.exe	93
PID 1628 wrote to memory of 368	1628	cmd.exe	93
PID 1628 wrote to memory of 368	1628	cmd.exe	93
PID 3156 wrote to memory of 4664	3156	d4de12108a068accedd0111d9f929bc9.exe	96
PID 3156 wrote to memory of 4664	3156	d4de12108a068accedd0111d9f929bc9.exe	96
PID 4664 wrote to memory of 2728	4664	chrome.exe	97
PID 4664 wrote to memory of 2728	4664	chrome.exe	97
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 920	4664	chrome.exe	98
PID 4664 wrote to memory of 3284	4664	chrome.exe	99
PID 4664 wrote to memory of 3284	4664	chrome.exe	99
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100
PID 4664 wrote to memory of 3780	4664	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\d4de12108a068accedd0111d9f929bc9.exe
"C:\Users\Admin\AppData\Local\Temp\d4de12108a068accedd0111d9f929bc9.exe"
1⤵
- Drops Chrome extension
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff860dd9758,0x7ff860dd9768,0x7ff860dd9778
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:2
    3⤵
    PID:920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:3780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:1
    3⤵
    PID:4116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:1
    3⤵
    PID:2428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:1188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4912 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:1132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5312 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:4536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:8
    3⤵
    PID:1228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2756 --field-trial-handle=1932,i,8016159815570267575,1380848348950241032,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9881561933a9ddd03990d8f386036c55

SHA1
e06785acf50654a2cb5f8bf38be742ace1af7716

SHA256
f4d1cfb853c41ad14d244ebf317674f086217d7daff097e476fdcfcec5a6bde9

SHA512
fab3be5e9145fca05cb3f176b3d8b77f909806c5341ac52ee71528612a4d50ee3eed7fc095abbe715d1f5b2223b55fc994adfb049ffb70ee2e17a9f49910206d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
786ab5ea5c7ab9aedc6dfa3c56d1b0f7

SHA1
0d586ba523ddc12a0d443747c210bafc3e51a798

SHA256
2668bd86627d9a9413e96b4fed380fffd0c950aa57ffc88cc04c03772c04adac

SHA512
2b8ffc7fc2e70604c4e119d70d49534cbc688d4021483c76aaf848509f5fdceb234a4ccf82771ce56f0e40bcae344bae42df1980790bef698afe426d1d84fa67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
df9b351f5c195060fdc581427e12e499

SHA1
cc742c9b65d565a9a610c5df3fc73348b5513f86

SHA256
abd9e237d74df1b5eefa4a004855b9501948da159ace5bd4eede72907e9f59ea

SHA512
8302a6c49ad1ea0f307d77a9b1a3b6b51f4432cd10f2daeb0c7acc71b7d38458631421dabbfcfc1a53b1d9117d1390754cb52ada2a555da1adce46c661afc367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf67ed391e662072ecc236b5fcb0742c

SHA1
6a8b5792fae98c58ff6412f9dc9c884281f014f4

SHA256
201ebe153f8ca286318269379577588a09ec00d0cf37cc83af6443da01f3b0c3

SHA512
6b3070e55b029f69812ac95b87e6afe1b8d5e9e3067da72e1e2fd2228c56daed17862d47b451e88a996b090c8b4d07283e646d443432daff32035a6fe179c101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
09b64de2016c584c9524825667e58e80

SHA1
435ba98e621d86103d998e31f70976dfda330aa0

SHA256
1e020a4763865ad20fe95d6d6020f17e88086e5199c8e9f78d585ad8fb05f297

SHA512
2a905665c6b6604e291b6721fcc88c851ffcec483545deb21b91554dd0b38a18e4a2d724c519423ea954d48b32726fd91b317eaa27e08c5617b25d2b085dc1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
4822bdf325ceef2fa1cbd1cc406db879

SHA1
9f8cb61e7586e40087e4c854dcf96589238718d6

SHA256
ad3ec5c2d905171524b6eb66476a4489a3fbe3737fd16e607f914724af42be9c

SHA512
50e3b2e63889548576415ce8261400026f88965508317a69b049d1f8c4142f7497009cbd18a507cce3fbd79bea0d650e85591e2bdf47491c63c76a8df1eaf7c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
224KB

MD5
b60b3afbef2cd7a4c538cb00df624190

SHA1
f31b26fd6d84962b619f420b8fcbe13c8016f86a

SHA256
f4bf0751033c4ff68fde5dc3bd9af0a28b51271beaeb45f3e5492e94293847a1

SHA512
4b3fed199a2e9430fd7efe1ad8bc4f917e688ed880d009a1295c97f6966d3c2f5c8f0642b6d9cbabe9b47796d0fa71ccb5cc888fa4503735692c9a0cc009bc2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit