socelars | 75751e39c518f2cf4ce2986e7c2649e4b586738392f677a53bf652a7d4811cc1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Size

1.4MB
MD5

81b05c43c1d16f7af57ea6bc9ded5729
SHA1

50e54265eeb9b3c9350b6c6cb17c0fc24f5064e1
SHA256

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7
SHA512

993a73a26086b37a2038520068b37e4ff9db6806c7489a389818ac1612ec0ae18629bb53d356e4774d25ec23b7ce0e5d15dda4be17e77d66447e6c12d4d7f136
SSDEEP

24576:PxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX43Z1oIe:5py+VDi8rgHfX43Z2Ie

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	iplogger.org
32	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
544	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696239845995594"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe
3916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAssignPrimaryTokenPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLockMemoryPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncreaseQuotaPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeMachineAccountPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTcbPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSecurityPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTakeOwnershipPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLoadDriverPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemProfilePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemtimePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeProfSingleProcessPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncBasePriorityPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePagefilePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePermanentPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeBackupPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRestorePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeShutdownPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAuditPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemEnvironmentPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeChangeNotifyPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRemoteShutdownPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeUndockPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSyncAgentPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeEnableDelegationPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeManageVolumePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeImpersonatePrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreateGlobalPrivilege	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 31	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 32	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 33	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 34	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 35	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	544	taskkill.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe
Token: SeCreatePagefilePrivilege	1064	chrome.exe
Token: SeShutdownPrivilege	1064	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe
1064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2464	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	92
PID 1800 wrote to memory of 2464	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	92
PID 1800 wrote to memory of 2464	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	92
PID 2464 wrote to memory of 544	2464	cmd.exe	94
PID 2464 wrote to memory of 544	2464	cmd.exe	94
PID 2464 wrote to memory of 544	2464	cmd.exe	94
PID 1800 wrote to memory of 1064	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	96
PID 1800 wrote to memory of 1064	1800	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	96
PID 1064 wrote to memory of 2224	1064	chrome.exe	97
PID 1064 wrote to memory of 2224	1064	chrome.exe	97
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2456	1064	chrome.exe	99
PID 1064 wrote to memory of 2356	1064	chrome.exe	100
PID 1064 wrote to memory of 2356	1064	chrome.exe	100
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101
PID 1064 wrote to memory of 3296	1064	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
"C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff4317cc40,0x7fff4317cc4c,0x7fff4317cc58
    3⤵
    PID:2224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1844 /prefetch:2
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1880 /prefetch:3
    3⤵
    PID:2356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2272 /prefetch:8
    3⤵
    PID:3296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:1
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:4436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,6784625034549120414,14529540834260347451,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ecd164fc47c099dd87f879e0b30a6213

SHA1
5bc1337ee96f4caec42238b2521b3d7044b3f557

SHA256
a3b37e52e6f081d0c977eafbccfd9b12a0517245594c5d8dd6f63bec8eab7d86

SHA512
a0befe85deb68dc0e7b62d3ed74495842e81aa8e96fb8c6db02448c0c9d72b3a6dcc75897f82ed9617d9f32151578ab2d417e75711d99b4b47e7190306487b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
44bffa57ea8dc1ca212277e260f4d04b

SHA1
72e71f4cffe193a6bc8bca014e336a48adb426f1

SHA256
efa74e10012aace30a4b474cad764e263ec8c770c0c3239987811f632aa19ed1

SHA512
d9c9ccad3e60d2336d237a55bd49872c5515b41456bd250d05881a232427dafe68fcd01a7923eab2f5a32705205511bc4fb5af007b5290a2cd2056069053fc04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
70eb7340a3b228d86d001b2323b8e7b5

SHA1
835ba4751dc9592914cf2eea803e87910b0a73d7

SHA256
aca7c3d0b584c42f9c34c97a34d48cfc8be548a8e42befbacfd87b435f2a2120

SHA512
0e375ce1316c1f14ca923aff9afd6a33c3614d9b334e309277449382dec26f540871f42f11ac424ef3c4f0dd05313bd69947f121e4687a1a764fc484468e4648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed96bf6cd541bf7e639de7ea54acc0d2

SHA1
fdbf3e423bedd27c8f669555cb535762322677da

SHA256
04eaa4e4c1ff4d5f9ac2da73bf5186fdc20e4997c2cb95f3b075051d61941147

SHA512
0912b09b8323bf67da794b9d02dfd2f6c4ec515208e13f4a57c817bd338edfceab99fc6b7aa0042b5f89063ebe3c804011f6bf7495fc78634bfbef608ce9d83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a79ae1a9ecd20505b25e544469ec36f

SHA1
07947e554d8b6d90c43fc0f930db47abd69ae881

SHA256
462faa879ccfb3952b7760bbff0553ae20d6c00f6b354615dc820f807153c62a

SHA512
52cbcb903d58033e71cb2466c33946b4eacef6a0f65a23655564a01f6882916bb1a41ee403d101a70a16b122e43f0bfe3d47817b1462d6545ec7966b3d27449f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48e57fdf3ead43cf303673b9bce31687

SHA1
8b84267a86d4e4d5bc5c7812652d790dacc7cee8

SHA256
3b1a0f49a44beb26c5c13808f04332928a744b1d7228e4eeac50915f291fe956

SHA512
bd06b65c4ac987921ec1d25d58ac7932340cc5fa210e0eb2743e971d33a028b58b0ca7252117053e177b8b1cff839669f39ba1206639d52c0597240de35124d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
f37bb0159005b5954d8d8ad5e5735739

SHA1
59fa125e44cd8064be0d021699df53ae906ed0c1

SHA256
08d88fd31d0c97229628d781bb3e838a7a139c1b70e434e882a4d758efb55cc3

SHA512
e252527f41ee8ba159d988f89469bc03fad5354bf3bc45e0e82ca5719b7abf6ab9be6bfc5bf91dd72dd3b728f72f33ff9db42b398063c373caba09cab1ea5c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
14d7324143232953c7855b1bdc51f43b

SHA1
4227215028d7d1c21aa9cb0da02dc2236b2b9ba6

SHA256
cdfcae7ab299fa85d0abd0aebbb09571375fb2e2dfa23a810ea1424a4b8af7b0

SHA512
bbf0a1f3c283fee3992bfea9496c9ff0c9fb5a663446b9f31f5f6a9b98a8a44979782b98a9055355b29e5b8dabbe2ce0681408af41bce5af28a7384f71b5944f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
6fff4b44f48884719379576ac4c7fd41

SHA1
5978fe3c13588b8e7f812029637c176cd0ea3719

SHA256
7ced1c50a56e0885b4e5072ba1106778a2617687940207d9461b8a937982623f

SHA512
ad09689a376a2e82b421052273984696a32526fd91220a6f22f84d5c3bc009448d8d3435345211180b77abdb77cb352ae4eb37e7d8a6a13faa4e597dcc61e157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
4feea61e99a48ddf3d6492c3269b99fe

SHA1
44d909bd81e4a36cf944d24c9c4a88c9bc02f447

SHA256
c18b7c531d977fd9fcdd27ec8d73b9857f1f832fc649896d64c19251f34defda

SHA512
ee96ba72ee7b6ed89ce5d37773a253ec719435b6da23cb43e8a2a1fa404870a00925c6ffd7e7e689b013195204b2a4405358a19c7cc5673608ec0e6f14e6ef20

Download Submit