socelars | 3673f09e36c44e87ce76082c900906e8abf001a9e3459ab1cf995cdf9c1de54f

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Size

1.4MB
MD5

6ed21f7aa1df0769e185b6dba72084f9
SHA1

0cb7edceb3b79b6e723144789b4c6549daa57f05
SHA256

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1
SHA512

bbfb5f5660b185ef5cf3ff141d36f0f88c427eca9fe4996b82fbc0f340944bbb3fc2dccce45da1445e76b3f63ecdacfa73ed932d444dcb13abb256073c815737
SSDEEP

24576:axpXPaR2J33o3S7P5zuHHOF26ufehMHsGKzOYffEMSXkdOZ1w6:apy+VDr8rCHSXuOZu6

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

33 iplogger.org
34 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
33	iplogger.org
34	iplogger.org

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4532 taskkill.exe

pid	process
4532	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695439647661674"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4724 chrome.exe
4724 chrome.exe
3668 chrome.exe
3668 chrome.exe
3668 chrome.exe
3668 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4724 chrome.exe
4724 chrome.exe
4724 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeAssignPrimaryTokenPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeLockMemoryPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeIncreaseQuotaPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeMachineAccountPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeTcbPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeSecurityPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeTakeOwnershipPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeLoadDriverPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeSystemProfilePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeSystemtimePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeProfSingleProcessPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeIncBasePriorityPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeCreatePagefilePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeCreatePermanentPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeBackupPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeRestorePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeShutdownPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeDebugPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeAuditPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeSystemEnvironmentPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeChangeNotifyPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeRemoteShutdownPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeUndockPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeSyncAgentPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeEnableDelegationPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeManageVolumePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeImpersonatePrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeCreateGlobalPrivilege	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: 31	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: 32	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: 33	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: 34	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: 35	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe
Token: SeCreatePagefilePrivilege	4724	chrome.exe
Token: SeShutdownPrivilege	4724	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe
4724	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.execmd.exechrome.exe

description	pid	process	target process
PID 1212 wrote to memory of 3908	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe	cmd.exe
PID 1212 wrote to memory of 3908	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe	cmd.exe
PID 1212 wrote to memory of 3908	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe	cmd.exe
PID 3908 wrote to memory of 4532	3908	cmd.exe	taskkill.exe
PID 3908 wrote to memory of 4532	3908	cmd.exe	taskkill.exe
PID 3908 wrote to memory of 4532	3908	cmd.exe	taskkill.exe
PID 1212 wrote to memory of 4724	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe	chrome.exe
PID 1212 wrote to memory of 4724	1212	34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe	chrome.exe
PID 4724 wrote to memory of 3916	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3916	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3696	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3992	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 3992	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe
PID 4724 wrote to memory of 1504	4724	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe
"C:\Users\Admin\AppData\Local\Temp\34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8addfcc40,0x7ff8addfcc4c,0x7ff8addfcc58
    3⤵
    PID:3916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1868 /prefetch:2
    3⤵
    PID:3696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:3992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2656 /prefetch:8
    3⤵
    PID:1504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3680,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
    3⤵
    PID:2884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4844 /prefetch:8
    3⤵
    PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5108,i,15687881942184211929,14992502782176528815,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0d13872e7703443cedf625cdd114112d

SHA1
16988e8534abcc2bcdd5c667d7b6559eebc59db1

SHA256
fb5b696dab6f5f16aa389c92aa7ff5ded5a376311f81a16a030e10477707faa4

SHA512
0a1d11aa3a83ab6750cad2f826cbc73ce3343f6a817def7244017b3e168c8166f10b1ba6f7e3180c6ba06a3efa22ee8a7f29b9dcf4a51f26e07dd12b3521f067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2f3c864e-884a-4b6e-8e49-518aa5504b48.tmp

Filesize
356B

MD5
ec2768b7ad6c1ffefc2b5d73f99fee44

SHA1
15c4b893b5a3904040a91dbdc1ad4f4cd7e06b18

SHA256
83dbbfa5a10600bb1bd7edc518509257e2dd40af4ce021d38d5c349dd4d038ec

SHA512
1d82acb8934bbe1333d3047ad849720f7192929800c3b15bed68dc659edcd67c793a0c80641e161c7617650a30d9bb32a1a7ee5df315e89a59804a1e4af4d578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8b1c9be18274fdfb2be597ef91854091

SHA1
ef95c00bed27189c415831d1d017923d4b4d8ccc

SHA256
ac99d282eed53d764393e12d02f312996fb47d9038a61f8a0d54af5bfe65d7cf

SHA512
8dadef235deff72af30bffd0722791d834aaf7dcbc6fda188ea5e22566d9d263cbf872298560070d27054f89446e68609026726c58fcbbe98fda303370f6b61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86bd3115dc87adfdb49be3581222540d

SHA1
279aa27ff0b727a893cb442717d0ca2769f1952c

SHA256
2141361627bafca833bf1ac52b9d8c9626c0fe1847edcde461838a437c0909d3

SHA512
a636bcf7244c87751801ffd5ae5af934172427610113e27397337e2a1655b479f8dfe797070bbf47c88a2221d00bdcaf51bf40ac9277083d9600db2dbf8d07fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1411c47c1711eb8f6b631ba003d2ac58

SHA1
0f1d48dc7597c71adbf9a4e0468ddda2fdadb073

SHA256
a5074dc0a37345bb4f250d632eff812d09b996780da676301b1659b63502ec22

SHA512
aa93a7b3d4e5e2f120903b70c7bf1796e5020aade480c2c270bb5f0dfbc4cc8f292793a43bbe040bee068388e4cd54b91b2ff1f89b498b3968380901920872be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67c77f3fbf115b88506a4eb4bc1e326b

SHA1
148ed06379a9185e46451e6d9e11d10d6c9301c9

SHA256
4b5ca3fc93dffc970ab9bd45b4a3f030ad42d84aaf02298bfa809ac252c5f253

SHA512
70c1d5edcd67d56575d22470e30d712f2cf87a62924eb9939f7b2d1bdcd036c4d4c86233a69ebeaa0d2152866069b97d0fe76381d03d706cb991592df39a4fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e593d6559f38a879a82ed2c78674ac99

SHA1
a120ccc567a34ab2ada6242d0a5768222457a5e4

SHA256
e65598ead7ed56a5389d629950cc57f5e48ee5ed9218967b0779653acbd61df0

SHA512
782517909c37c853c60469a7235f69d5d2bd00f0d2ed14898266f9574dd9c9d685073015fd6ad3e896ec075cda9df905574617c697130ba86515280e4e8c68b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d82a85e75b851b5d61f03a12563fcd6

SHA1
995dc0f849ee5c2b71be25e2d9275f998312885a

SHA256
2551d9a4cbc8f88232d439e7df76c44181fe5f05e7408f5a108602cd4f9fc06c

SHA512
aa2f1e533ff8adfe7ac7c6f843161c5c9aa7621363676a0e12b1add3dc60457304ebd2d1d3deabc79ad359b15f411cf6a1fe561a25e2da7615e4307230914620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8420f8499193fd155f6dab0d0e19f5b1

SHA1
b9d466ae06a3e8365b8fb6d68a6d99d9e51cc811

SHA256
766c96a20afa06aa43afd861a5e099e85ac0d0c6c9a7dc17f5a317c97ff0c058

SHA512
e5978f432a4e73f3c5616c26b0dfb00945b4f00fa250e310ddc3c9daa975c0a7fc5ac9cd863c79bc3ea1e2e8523bc71809c8abeb24ec8e766b195ed8cc105bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9f3c3c4c7fadfcb18c091556bcd6e88

SHA1
a0f6d0f302d1bb7cc7de0712fb354807ec870829

SHA256
10cd9b98a3f1fe17db387f58f679acbe7ee645cd4cc1e06fc700d1d00c88c05b

SHA512
5d0a26acca0496db67ef97f44364bc16269a37d4eacee53c6cc04b2c2f7def9dd4acaa33b03c6d9b5a7410f8dbe2e498d37908352ac42853d270f0779eca09cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
96b4448978fbd562493bbc5270bf21ca

SHA1
9b5175093276795fb8e7c278b2113936c1739c86

SHA256
738fc0e01162b202b80545209cce25e88a97cf1edab0851b986c58d22b693fb7

SHA512
f779c6259632726fd27a66dc81300e327877e3da5fc83451128ae5dc2845363a2ec49a8dc3bc0de3dd894bcae254ac95fb8a1158c4d2f1fcb419cd27b816af4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
c215e0c38909a3d0de87bb7a7e094216

SHA1
c08db5539e52c8f8048d020a12b97d7037c06ada

SHA256
ea76d74d6a5edb59183aab98ed6b773c500e3b63fa456b1e42b3a132e64ad534

SHA512
b4ae65ced51652f71db25a5f2a6c6527de4b6a3dd75c66eceae40d735ca5432c9b084c1a32864058a2a3055421ad254afff8ab80374512b97469043c898d531d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
054a0619c15fe03e9e8f5f362e17130d

SHA1
96d6e09ef6d4b745c911b086865d29605e3af1d5

SHA256
3d525aab9c687d97052f6a0b8b5f54af8f21258a7b4bf67817d0db0221ecf7da

SHA512
8df66597b2ec8e1aea31eab50eecaa0dc8258f37899e2ed0bfe7bc4708958804b6367ecaf6ae74fa4107815373d6bff4845c6a2fbc5ee39b76859ac7eb59fce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
d3857b498c8ea59fc143e48a0db67d4f

SHA1
5976d42cd9366673749d4a2d7462ae56d96f706e

SHA256
7a38185b03f55dd9e7c607941d6a418d17869974211ecb621ee52052a6ad5347

SHA512
75510a062dae08938cead8e054d73420a1aa0f22df7ffbb84c02c60effd338588ebc206ef962daaea0215f5c37fa2f58e8561dff6712d799017d5b9730cb8dae

Download Submit
\??\pipe\crashpad_4724_OQMSVYYVBKFMGMVI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit