socelars | 75751e39c518f2cf4ce2986e7c2649e4b586738392f677a53bf652a7d4811cc1

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Size

1.4MB
MD5

81b05c43c1d16f7af57ea6bc9ded5729
SHA1

50e54265eeb9b3c9350b6c6cb17c0fc24f5064e1
SHA256

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7
SHA512

993a73a26086b37a2038520068b37e4ff9db6806c7489a389818ac1612ec0ae18629bb53d356e4774d25ec23b7ce0e5d15dda4be17e77d66447e6c12d4d7f136
SSDEEP

24576:PxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX43Z1oIe:5py+VDi8rgHfX43Z2Ie

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	iplogger.org
35	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1380	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696227821802826"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAssignPrimaryTokenPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLockMemoryPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncreaseQuotaPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeMachineAccountPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTcbPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSecurityPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTakeOwnershipPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLoadDriverPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemProfilePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemtimePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeProfSingleProcessPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncBasePriorityPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePagefilePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePermanentPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeBackupPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRestorePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeShutdownPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAuditPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemEnvironmentPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeChangeNotifyPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRemoteShutdownPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeUndockPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSyncAgentPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeEnableDelegationPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeManageVolumePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeImpersonatePrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreateGlobalPrivilege	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 31	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 32	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 33	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 34	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 35	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe
Token: SeCreatePagefilePrivilege	2508	chrome.exe
Token: SeShutdownPrivilege	2508	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe
2508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3284	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	94
PID 3288 wrote to memory of 3284	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	94
PID 3288 wrote to memory of 3284	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	94
PID 3284 wrote to memory of 1380	3284	cmd.exe	96
PID 3284 wrote to memory of 1380	3284	cmd.exe	96
PID 3284 wrote to memory of 1380	3284	cmd.exe	96
PID 3288 wrote to memory of 2508	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	100
PID 3288 wrote to memory of 2508	3288	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	100
PID 2508 wrote to memory of 4304	2508	chrome.exe	101
PID 2508 wrote to memory of 4304	2508	chrome.exe	101
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 4264	2508	chrome.exe	102
PID 2508 wrote to memory of 3920	2508	chrome.exe	103
PID 2508 wrote to memory of 3920	2508	chrome.exe	103
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104
PID 2508 wrote to memory of 548	2508	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
"C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d51dcc40,0x7ff8d51dcc4c,0x7ff8d51dcc58
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:3
    3⤵
    PID:3920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2268 /prefetch:8
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:1012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:1
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:1656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    PID:1376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5056,i,1826141011656592222,4486730818350694076,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=208 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\03a8009f-667b-4ac2-a1f8-7ee150f42d6e.tmp

Filesize
19KB

MD5
43eff9e39da3cc705b3355c6e7d100ac

SHA1
caddc6759e5ab7e6cfa070d163f180275d9e16e9

SHA256
4440fc8903a8ff4550644ba50c1c9db694ef6a9109678e4d4a0af06a996038d3

SHA512
5f6eefc738fc5a0d3c5860b7e099e7b06e8bfd8ff2dc723f86616aba05d638b5ec8bc78417a1002d7dcd049e0b641c062dc5c0fc1e7fe9ec20f443288103f40a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f57253d7b4f679de4671901e15a7521a

SHA1
51ad551dea3f1647c07897a67c07669220305448

SHA256
5d2bb2caa0e8edbed3e1bfe53851f22414cf421f6a150e923bec4619bf0e6466

SHA512
18ad62a17f994ceb0766c51120107b095330e4f5fb3bec283d8e76b1ccb993e2417416ee4a07f8fe5f6ccf8a2cb8c60247894e08dc20c6340664a27961c5542d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9ca40b98674f8f0db7fd35851bffe511

SHA1
c0c5a715d31357a0424dab8f63d5665953959f61

SHA256
3244246c80eb15fd1fa4a540f92580a082e9289d54f23b893a652d3273aeaa16

SHA512
8e8388ee9f0b660fba0d546476115038052f8d0b3361f028de676fdc260288a0f4a4f463abc43a1a63b53afaad8139e2c3e5afbd2272046635578cf06cc4adbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c6c750ae0af8cfbfdfbba1bd308f0e4d

SHA1
b1bef97f1c926b59154046f845aa1d430c5e788d

SHA256
71c3897241426935b2296e68cdb32810db9e33e41f9206d2c0cd51541b82df5b

SHA512
185fa49f12d9b5e90516465af19a8959fd5b0ffc9d8b5042a4838271c6dc17249320ccd840bbe3f744ab96f7d95082585531bac53d5bc630055a261c66564375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81cda48407ae9c0bc4ac6da02bbb06c0

SHA1
70683ee797ce48a4b341042eb26fcfcd51df0ac9

SHA256
71b2b78c25b63279dd2681a59839be308e0565f45d5a29a6830055a596b3ccef

SHA512
8285524ba6717eff8fdf5d30cb7e95ef485c7d51b2b751eccb69afc132501df5d64b19f3b8c6e7dda23fbaf307fdf0b0bea0946ec8fb86fcd02c7b3cd54c32de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07c588662457a4c59efeb59ee06a891d

SHA1
39ddfac786012e81065327bbb0bcad7075fadcb4

SHA256
30cfac750391cbac70ac7aa1ad7dd8d5f847addac49371a7b44a0887d8832c6a

SHA512
b118dd4aea8f8056e38b72702eaa9808041a2ac9b21313af26eab8edb421465f5444cabfebf55a8ffe4e665a9e1433c84fcb38f9436442379484d2932cabdf3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c43add4672dd304ceec145327146964

SHA1
bff159d925916921ae2da807332222cb95286719

SHA256
ddee0089b8ca5a20b40d17dd24d57c5533883704e834360dd5542ec80584fce7

SHA512
151cc086298a9afbcbbde0766037232d4268f5bb3041343324896bd006bfa7d2fc83c988820c05094432cf87f6e522fde858944f2e506a9b5a64475727e2bd96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9234e387e83cd5c5a7ab677dd09a6022

SHA1
131ec98853544e8740eb89f7e14d0854faf3d75b

SHA256
2f722193a6ae37d6e9f233c98eb635179ca3358beacd685a60ac9f3192d294fa

SHA512
5d5699e36fd3bd19ace55b0dd1e4bb19c35cef42ac0753a227305a1fab937c8f6d8d96611b440404d75559602ab4c59a3d5ff756f27c051015c1777182b9a1b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
048b40150e344333f9120a4f377752c8

SHA1
36fcc82f4bad300c9b152062c59d76e21df4cf7e

SHA256
d85a253c9e1e7bfbf79e6364922c7a55e658a37915d560b7220f96b7aec7b4d6

SHA512
c9ad09619a2d94cbf8f417ad73752a339b5d365b8a8c5a93d558166fa1950e27f616cd1c968aafc0e2f2fe76bcd9bc318289410246b997f1587a674abec065e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
08cab8b448cbe3211c275103ef606d79

SHA1
d27973ef877b2b1e15d32e7be1c4a587a74cb4fc

SHA256
64f181f274d5c51287c2bf9527e23b101ce812ce7510a9bb85d435daddb3aa6d

SHA512
8867e6dc9d58027a095f58893de52b500bae040d70a4cf392b186cfb52d3c5c4405dd68245399c18d1121992702bc99af96c2255ec1799838037529f4cd897a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
18d53dacc61a49aea6f71344811718fc

SHA1
0d7da1761ae3ab1373abbea6dc752e4a25492c65

SHA256
5fa34afdd8aa51cf591f4081eff5b4ca85816ee19299e96a7a13bc20b1575f19

SHA512
c7baccac2e3d395e8dd2da0865e9a42afdc17376d8bfd3e9207693102dff8852fbfec41b5e5c6bcea4bc5fce4520da9598642c2ad6427595849eb5cccce2217a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
0f570bc92f1d7d63ade2850f7450997e

SHA1
b5063830371fdc8645b29304449d22b17f32beed

SHA256
7480ce1c55e16391177c5606cd975763fc2932a3b0f5f3fdb9820936f028f8e3

SHA512
4abbce73fca396061d510d6c6f7bab8010e68d59d478f93be504c44fb94af0712112f17f57f7d88169495b1c1b4b4f9aa17a1b216899baabc8253bc00c1b7add

Download Submit