socelars | 27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Size

1.5MB
MD5

ac075db74a9426e1fc71f6a639acd05a
SHA1

b6977b1f25e48c25ad90842d758579998908d760
SHA256

27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145
SHA512

3848a13efd8b5969ec77bd3806c4343041da6e8ae3a2efe4238478b16fb153b20cb3768d761511bd7ad47d431a29172de55711c4a857ae06c0f7c3b8ed3d8981
SSDEEP

24576:DJSLpwfVWRh0SGQ48Lm2194mKa4qrNdW9NTPjQx9qBw:Dup62ESMTjTPjQjqe

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	iplogger.org
32	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1676	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538674613904862"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeAssignPrimaryTokenPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeLockMemoryPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeIncreaseQuotaPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeMachineAccountPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeTcbPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeSecurityPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeTakeOwnershipPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeLoadDriverPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeSystemProfilePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeSystemtimePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeProfSingleProcessPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeIncBasePriorityPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeCreatePagefilePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeCreatePermanentPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeBackupPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeRestorePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeShutdownPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeDebugPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeAuditPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeSystemEnvironmentPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeChangeNotifyPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeRemoteShutdownPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeUndockPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeSyncAgentPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeEnableDelegationPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeManageVolumePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeImpersonatePrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeCreateGlobalPrivilege	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: 31	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: 32	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: 33	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: 34	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: 35	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe
Token: SeCreatePagefilePrivilege	1884	chrome.exe
Token: SeShutdownPrivilege	1884	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe
1884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 4576	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe	91
PID 1876 wrote to memory of 4576	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe	91
PID 1876 wrote to memory of 4576	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe	91
PID 4576 wrote to memory of 1676	4576	cmd.exe	93
PID 4576 wrote to memory of 1676	4576	cmd.exe	93
PID 4576 wrote to memory of 1676	4576	cmd.exe	93
PID 1876 wrote to memory of 1884	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe	97
PID 1876 wrote to memory of 1884	1876	27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe	97
PID 1884 wrote to memory of 5112	1884	chrome.exe	98
PID 1884 wrote to memory of 5112	1884	chrome.exe	98
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 3600	1884	chrome.exe	99
PID 1884 wrote to memory of 4448	1884	chrome.exe	100
PID 1884 wrote to memory of 4448	1884	chrome.exe	100
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101
PID 1884 wrote to memory of 3372	1884	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe
"C:\Users\Admin\AppData\Local\Temp\27d5157bf402388227157ddd0a261c745985230d2549409f629beb87ce97e145.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaacc39758,0x7ffaacc39768,0x7ffaacc39778
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:2
    3⤵
    PID:3600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:8
    3⤵
    PID:4448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:8
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3052 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3756 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4772 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:8
    3⤵
    PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5612 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:8
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:8
    3⤵
    PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5596 --field-trial-handle=1796,i,12493789994166504773,14104888481113440490,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4156

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
6836e6b9f11f031e4db530ecc1370d8c

SHA1
bc62ef17b8e1ca7d04764c6f26f335805efd76f6

SHA256
378c7e7c79865e616872a68132df5ff4edc3685be9680579cab22721e4673256

SHA512
c0ba46189936c98fd9ddf546532394ff13216dc646daf69500d776619e58e730285dd0195f0f10b0b98444106f69e53fcb06c9d1d7180e4fcdca2801d961face

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
35e76c42cce2b56be46b3cc7b83b4643

SHA1
9a33b6575fc62063f7b0056e6d4c3ea89b19f92b

SHA256
8afdef150b9cc33a4a3ca673d06ec913661de535fa93f0b79a0693afa360df5b

SHA512
27c86de213eeec4b7b05ea84a6d4213947c9b363ee0f8879ab388864b3eff6c6dbf7ef5dfc78d420d6d9a8277b4805c68349289b9f2d2e77673b0c48f2415f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fa00ddf81b22d40e5d7919f578c96313

SHA1
945d798fe505fd0d62722842c3dd8db77c5b497e

SHA256
9476c6478286afdc394ed097dadd909b60a87da595cddeb663a3246d217a3868

SHA512
02d334cfdde7c9ae815e0d39dd2381438981b0d67110e18e4e33e8821295c86018f5d3750fa8acbf515a3a24c503d87f0044b3c1225ff6a8dc2fde5f57d640d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c7b0be642cc246b6fe3272ddc3c700c

SHA1
e5d1b2be12aa33c2dc5c71d3fa5c9ad2a136f6c2

SHA256
6f303febaf140c2913392d4ca5e6ea09d33cf1c5b6b9de0d8d88bc6268e6c04f

SHA512
f0b372d84ff018d3f9a3a8d8d0340f57fbdaee9d1af3ee93be0e3aaa5dc0b2fe80eb7d3b17b09559b0f393eed81a9836cc6f1bb5ebdd5e3c8fa9c71c016f5bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7952799caf1d5e53efd04bb404af2b3e

SHA1
5ec03e55edd10aa529f3305c3b4789cb17c297aa

SHA256
3312dafbf70e6f1dd1c282a29fdb3b4303ea3239d8c1d3279ae408bb7d3cf547

SHA512
2ff7a8246513c5637f1ee27f229f24bfe58a906b65d0f55d92924a233ffda971e801b11849b5cb1b174d308fa96eafba549405711642fb50f687dcaa696addeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b58133eac16140b983b91ee4913d3843

SHA1
5c4249cb1e8ffa4d279b10423b5bb8fa2f8bbc71

SHA256
e53f35d5b873b7c8ba6f55c4a630d88ee7d6fbf6f1b3292ae5b2bdb8c01fe40f

SHA512
9e11b8ce5b4ecca36da33d1eaea05e5541b7f8716f0d289b4efa1ce866aa6289838e2f544a0121400af2ecba3cbfee0c11582feec026c864c913d1a49ad0a917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc1c07ce9bbe0e99fc24ac47c1327e80

SHA1
8762a245ca41fef2fe030ced25889328cf1dd25d

SHA256
3cbb826e2bf67d17511ce4988180bd9b7eb9b1e6a218857aed53b96012349954

SHA512
53f2e89114f943e3df92b10051728681eff9a4db41d16d95a3900847e1fcb8a8612efd43d0412d24adbc7ac2b16373645061dbd36a21819093349d573d98809d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8aa6024c3fd22cbd312f709239b45597

SHA1
aca4560f0848aff7953d20b4c87ea6cbf18e1800

SHA256
56760b0cde7535e50c1b599d9764729131dc74c4aabe3b61c2e2ad9b1a209d81

SHA512
22368753cbd18bb2c03b87f0a4f28925b1714ae8102bb6dbfa68c23c2ae9900c3e77556aacb48793b099ff076e68b4b2e20c48566859cd3a5ebfecf9476ee558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
522bbef4c91ecdff2df44d13c8a7d29f

SHA1
325c51885a6d9f4ba37bc93e008bc014b1ac99a6

SHA256
cb9a317b2b1a6b1530835c33dd66003e6fa5860b2adcc5b15c9fdcd641912387

SHA512
8c176cc0f654ef0e27bd5338be0d85addfef0d275bc314f0b566f884872e37c8704741fbfb19f113b61d98c80d8c32960c007690cb01b76db2caa4a3a0da95a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
de5e05c5929e3e060445e01f88b14566

SHA1
6aaadcdcd6f90fe8f49aa9ece25024c806977e21

SHA256
e21f9b3c1405d42fb62dc8c0ad5866564efff6de2380be492dd7ece852544918

SHA512
f4c791ae746f4497f8c74f247180ec32ad966660b8ca703cfe5ca6c666c3d6dc0dfdd170df8b72fb6dc161c2b7d81164b6dce9941706328449799f9400c6798c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
664018682cd288eb476e586ac270e0fd

SHA1
7afcff93615029c6915a79b81c46c7527a4397dc

SHA256
c6f79c19f2bbd4d881e86cca03bd7d12c631ef90152de4bd32ac3f863eac587b

SHA512
387fa7f0aa71815ceec0afb38c8313be52b928a6065ca40e21aa49ccd874ef49937ebece12a7246a7e9eec6140516dc5dc36e3d2c378523915c3ef95a876b1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
a3e28c6475cb5e9dd9fa61ca0e167497

SHA1
5099d39c91e51e9f3d631312c4e3534b7d7ca1e8

SHA256
734d9ff3b92933d2ffa5476d4e3d25b85afc7008f1b510c496ec6ab882d59879

SHA512
18b354a59f0b71424897e1ebe6b92ef76fe60989bba91209f3006ca4d624f2941c6dc9a3e0774e3ccb30ff48a9ca4c989791b12f2477d1f53fff26422c190cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit