socelars | f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Size

1.6MB
MD5

52576b28157b0aae373e927fc9c56a68
SHA1

e0173b265bf9944223e90689448d1855506fa57b
SHA256

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1
SHA512

51548af52fd852d80bec27fdae855c181827d5139952bfa2c15b0337d4534932ae364620e0dd352a77445d1bd8ddf7ec04c9c126231944a8f295b61c69a8b0f5
SSDEEP

24576:sJSLpwfVWRh0SGQ48Lm2194mKa4qrNdW9NTPjgD1GqBbn:sup62ESMTjTPjgD4qBn

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
63	iplogger.org
64	iplogger.org

Drops file in Program Files directory 10 IoCs

Processes:

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
3652	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133537124946558075"	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
4240	chrome.exe
4240	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeAssignPrimaryTokenPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeLockMemoryPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeIncreaseQuotaPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeMachineAccountPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeTcbPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeSecurityPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeTakeOwnershipPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeLoadDriverPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeSystemProfilePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeSystemtimePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeProfSingleProcessPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeIncBasePriorityPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeCreatePagefilePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeCreatePermanentPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeBackupPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeRestorePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeShutdownPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeDebugPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeAuditPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeSystemEnvironmentPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeChangeNotifyPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeRemoteShutdownPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeUndockPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeSyncAgentPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeEnableDelegationPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeManageVolumePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeImpersonatePrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeCreateGlobalPrivilege	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: 31	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: 32	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: 33	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: 34	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: 35	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3556 wrote to memory of 3044	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe	96
PID 3556 wrote to memory of 3044	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe	96
PID 3556 wrote to memory of 3044	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe	96
PID 3044 wrote to memory of 3652	3044	cmd.exe	98
PID 3044 wrote to memory of 3652	3044	cmd.exe	98
PID 3044 wrote to memory of 3652	3044	cmd.exe	98
PID 3556 wrote to memory of 4240	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe	99
PID 3556 wrote to memory of 4240	3556	f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe	99
PID 4240 wrote to memory of 4348	4240	chrome.exe	100
PID 4240 wrote to memory of 4348	4240	chrome.exe	100
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 4968	4240	chrome.exe	101
PID 4240 wrote to memory of 1096	4240	chrome.exe	102
PID 4240 wrote to memory of 1096	4240	chrome.exe	102
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103
PID 4240 wrote to memory of 4268	4240	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe
"C:\Users\Admin\AppData\Local\Temp\f6ca7c881922c8d686901b0d4e7ec3d8f6949c616281cffd011ded8c0ff3dfc1.exe"
1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff866fc9758,0x7ff866fc9768,0x7ff866fc9778
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:2
    3⤵
    PID:4968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:8
    3⤵
    PID:1096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3008 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:1
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3644 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:1
    3⤵
    PID:484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4132 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5988 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:8
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=6108 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=2004,i,4121045863288154074,1493918568619422424,131072 /prefetch:8
    3⤵
    PID:1028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
3c394a084c446f9166ecd4fa85f6fded

SHA1
17f50be2c60151556ba7e10d217cd1ed3ab1cfe5

SHA256
298c585fccd3fba232c525d2e09067906912b8dcc5ec611a6cfc284dfe77d592

SHA512
fd8af5f91857a85039bdd186914f04fb1db677351936fabf418715798b5950a54e7be0a5ba0f197ea4a0e0abc770d03c7fb8ba365be7c99831ba06c33ffd032e

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
03ac6af246c33e73a77a778ea936a932

SHA1
cad9b0b960016205eb391c31943ac07d57376379

SHA256
31b56a34a6cb54b7a1128f9c5b6989f4012f92604417fdfa180ba44be345f94e

SHA512
6269f3efca059e6e916cbda8f5f03938525b0ea4333c543f62140c5942d8705ba55233984134c6fb43fe3f16ef070722391154b735fbb6cd7100551e787426ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c23f3c913082b7aaedf316edc17214d

SHA1
91e0cb45fe3a0d8b5be27c1b84477d347545df26

SHA256
e582784021f9de0d49f83f3a6dd0d2d81022af351624d8c01f6246058a51367d

SHA512
d66b53e0640f8380869ceb8bf1b9e338c0431647b35196f1b29a5c5856574bead9deedb32c353fc4a0a708343bf447cc8f486367b296de9e8056093c9f7fb500

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
2106692a3e247175da5ba4cdffd9bfde

SHA1
94348f8976d9793b2d0aafb999d32e7d64b109ef

SHA256
5838f4f12a2a07beb9ba3508549eca562c2a511a3b5cef477c5cdf5d24305dc5

SHA512
b166a5121669720888fbc0c76b6ca58d4fb7cc068cc8d66abd7f9a7b1463de35a8b5fc83bdf7a630fa256ca75b1a6749bbe4d6a855dd26fafc163846decbfdf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4e810ff2b1932f81f1a0071337273381

SHA1
d9a4e3fbdbb9f156f223f53e925b4601aad41f8e

SHA256
92416571ef223f32d976bdfc728115d4428f589d7fc061e7da3d17d7d3723370

SHA512
f17442a2c850714b6a06ee7ee2292966409f79be24c1add633cc64cb2f36c85542919fc25195ae0ee64a429c2dba95b49198a937b43eb06d0630e98f8bd44841

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a2a4ecb7da03de3622496bfeeda52aee

SHA1
609795bf6b97980427e7038b7b0c7ac8f7d67ef0

SHA256
0f9b32052ced0b5816ecb8a44c696d745336761c8bc651b9c547d994350e6768

SHA512
a97ff6f385f9623c2452f25690963acc0d8d81cf5377afef26abecaf9921e038e3376fab75816c83ffbea7b03d2fe1352af1d78322734c3bbf0bf315ee337e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bcc44168c3bc627aa6cb94af8bcbbb44

SHA1
031af9ac47d7fa3827aa5b1684b497d798d74634

SHA256
a6557dc983a7db8d15663bd411ab6146996bcbb422a328b0609be5ccacfa3d4a

SHA512
e23341a1b212dd8849c02ca8764d567a0e7e06bdbc3fa63b6575e94c365c1d20857c89c3e1e8c59d3bc88c885cb25bf62a61699e009b1be172e02bdacd4530c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a6ff06e1925b5352d32349152e04c38

SHA1
8daccf1a7e06983c578022e2a888baf2988052e9

SHA256
334733eaf69ebdb020eeb990bddc6a523ed688ff90dd0771fb073f0015eacf8d

SHA512
527ba3cffc6fe7a2c214c5ade016e166716e8dd28a16fd9956b1f9b25441a8851e627c6346b329be3d87fc0ac1d385f750a092c667b92dd1f66c1299577b4313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
81d7d760c6aaaa057c065513b7704fbd

SHA1
3beba4963e45fb8b6e48f5e8046b0d7bff9f2e9a

SHA256
af5db05bd1cda0492a014595c1af0f7f863b4f0cc86bc80f839127b14dfc2220

SHA512
43de2b6acbf012f279378178ed7b00601e64616208a78446ed5a9cb8b15fd142afdc062b209224f991d87b2f1dcf81e1ee2732153a77188886a9c0c9f877c941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ca93b888de8cb593cd169b5d1412d444

SHA1
298f15a71643e88b234e1d7af3a796f0e16c2a7f

SHA256
1d2b7d5c0977769b6ceecc896d2556ba622ac52dd4f0aab445f77a21a1136af7

SHA512
dee295b36b38bc6c10b44099ba1d2b15c63a804339300a1e956983db0d3e4c002cf2e78bb25d881cfdcd83de4d598da059047d2283e7ad296235bf591d86acb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
aad8601f879b3d56e553b0639f34c1ef

SHA1
c83ef9cc5e617313034a2e7595ff981c15f062e3

SHA256
0a31440aaf9d0ed7c998ef7b26aa21aa3eca42d899e14c79531c6b397b70a48a

SHA512
88576b3bc5047b81748067f9fa514d8e1e6ce94964e475da26efc60b1b79893a9f4d54540c999f21d7325c3854fb8322e54f3b9348dbfed98b93010e5737fa66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4240_HHDAOWJRPGZWITTJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit