socelars | 13337de67eadfc62a67fd61eb5d9bd7e1b9fc740c836d1abd1eef5141abf55b6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Size

1.4MB
MD5

8283cec57699a2836b4c85785a6a2ddb
SHA1

f2af2fe2acff956329a33083161885e15ca0088d
SHA256

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb
SHA512

816fee014a0d774c317d708dcba5111fe46ab40d5b31e2b718da79f7f16b4119eeae13dc3bbc350ba65f8b71fcba8dd9ac07c6b9ec2ca0b532e885195e139b95
SSDEEP

24576:cxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3CZ1zo0:spy+VDa8rtPvX3CZlo0

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
24	iplogger.org
25	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.exe466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4788	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696281277470060"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2880	chrome.exe
2880	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAssignPrimaryTokenPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLockMemoryPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncreaseQuotaPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeMachineAccountPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTcbPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSecurityPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTakeOwnershipPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLoadDriverPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemProfilePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemtimePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeProfSingleProcessPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncBasePriorityPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePagefilePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePermanentPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeBackupPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRestorePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeShutdownPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAuditPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemEnvironmentPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeChangeNotifyPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRemoteShutdownPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeUndockPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSyncAgentPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeEnableDelegationPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeManageVolumePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeImpersonatePrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreateGlobalPrivilege	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 31	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 32	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 33	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 34	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 35	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeCreatePagefilePrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.execmd.exechrome.exe

description	pid	Process	procid_target
PID 2412 wrote to memory of 1108	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	94
PID 2412 wrote to memory of 1108	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	94
PID 2412 wrote to memory of 1108	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	94
PID 1108 wrote to memory of 4788	1108	cmd.exe	96
PID 1108 wrote to memory of 4788	1108	cmd.exe	96
PID 1108 wrote to memory of 4788	1108	cmd.exe	96
PID 2412 wrote to memory of 2880	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	97
PID 2412 wrote to memory of 2880	2412	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	97
PID 2880 wrote to memory of 2204	2880	chrome.exe	98
PID 2880 wrote to memory of 2204	2880	chrome.exe	98
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 1556	2880	chrome.exe	99
PID 2880 wrote to memory of 4428	2880	chrome.exe	100
PID 2880 wrote to memory of 4428	2880	chrome.exe	100
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101
PID 2880 wrote to memory of 3144	2880	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
"C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffdfcdcc40,0x7fffdfcdcc4c,0x7fffdfcdcc58
    3⤵
    PID:2204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2000 /prefetch:2
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:3
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:8
    3⤵
    PID:3144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3688,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    PID:544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
    3⤵
    PID:4808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4984 /prefetch:8
    3⤵
    PID:4504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,16906536494163356323,10003779819601250753,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4636 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1016

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b9b56513fd1933553506e72ebfeaefe1

SHA1
661e5d98760b9ab0ea355f7616c8d50b5a04c07e

SHA256
455065a68baa38ba987d9201ec81f6bb3e552db86d9385838f0fba136e6404ea

SHA512
8a09cdb39cf6a831bff8bee29951507484064124a3ed7fbbe370fee9f2533c64bec71845db5d31057b029e795d1698e89aa01079da1c9459239a5ba452195274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3624c61895101814774a58d5545563d2

SHA1
632ac1dbd45905e7cf23f7e9a184482545ac0207

SHA256
6f4ee825712d14310d088c7a4045154fde579ff64b8be2079c7d1ca2b7018f2f

SHA512
2ef0d22a5e372d1d770c0c2a5b56c45d59dc4ea067857defb09937d43384be6d862681f3bf9533964e443d4f889c84515bd3cb0dfb268f89558c866175e881e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
81a25104657e649e39a5681ae7de13b5

SHA1
c53e0820b0bf8bf67bd3a80e776b294997df5a38

SHA256
2364f96172dc7ecdb3ca7d5f7538bd5dfdb7ac4ca2c4964a196ecf27a79a9d8a

SHA512
220e470c3023f6e8f1619c6dbf271a21b03cb4e4ddbd25b1115f76fe7cdb648451b9f178fe3d39489661d87edc928e752ed433b0fbe25e968290e864e1326340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8f5cedfbae5c60d984e4087ed07c4ae

SHA1
b3a7a62f0fdb09f364e963df33fa48cdd29d44b2

SHA256
dba04a1d2271d6c0452dca0aa9132e8b5efc435be650c7d2d3e875b8ad6495b0

SHA512
f3624877d4dac6bda8d9eab024e2c52452656c2bdce421a14b3088b2981eebe261039e10e8301ab58aa81c7f76b3df8dda4e73c7b8305d84098e5d0bded93fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac0fd4e11da26812648cc2565ffce272

SHA1
23e1dc6a5ddae5364a7a0f64122154b4acd54f93

SHA256
7a917cc0d39cc5adb59862bfbab4e30f0b566cb0d17ed26de7ebe8081077a456

SHA512
ca02d9f0eb762b5d549d0759c02bc5d9b162ac05935897acfe582acabe805928472a6e0d69ebbf1257b397a0b3eb9cfc8471552e21715c76beb5e8d85a3ac2a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bee4665aee7999216a8594434ef2e5d5

SHA1
2e1129a960e400b05db59382bae9057932254812

SHA256
04a5ba0c94b1b6ce22bc6fb3f15ca4a9b420213f45417018c7d88cc433e8b10a

SHA512
e075b3b0fca769f49a7c1aeff03b50205e18a3622f5e453d090dc9a0e4c68e26056eccce83b956e44a4e78b5ae39004303cfbbe258fe212d7377d7c25728d009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
6db5daf5f6cf6be4e9ab07ccd28e1886

SHA1
1929ef953e39e120f5da8785e32f89a47a7f2071

SHA256
856dd66c9a6a3131ca88eac9aea0ddeaf41ecce22c37fcd1ad16807230af013d

SHA512
91b79f612e5737bd8ddbdd5ece0fb4d843008c60d33ffdda58ec2163273944c9d7da558c5e8b24b513752b281309101dccfcdcb7b72493837058f97b6e2cbfdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
14d7324143232953c7855b1bdc51f43b

SHA1
4227215028d7d1c21aa9cb0da02dc2236b2b9ba6

SHA256
cdfcae7ab299fa85d0abd0aebbb09571375fb2e2dfa23a810ea1424a4b8af7b0

SHA512
bbf0a1f3c283fee3992bfea9496c9ff0c9fb5a663446b9f31f5f6a9b98a8a44979782b98a9055355b29e5b8dabbe2ce0681408af41bce5af28a7384f71b5944f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
8c01d114514767381d0f02184c0396de

SHA1
a34b7c2fd1bc39ecbe0dd13d6657acb49f95db18

SHA256
e3e36d3add7eda597261dc28d9de3d78a766306013b3dc72d166553fb348aa36

SHA512
d4dc8be3410d8f2fd2b18c949130c29ff296bf309ed573972e3796a7b287b153180b187780c34e5eec83ba1ed6a13a9aee2415c47f4e657cc7583e77c9b79e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
9e00fd3d3448024db18b9b36372b7aea

SHA1
dcc6ed2393b841f3edc08aa5b5a0b38c6703889e

SHA256
09e5267dcbad276e4cf2d7321406d8686e8e16f0adb33b8daaa73efd8b3040b8

SHA512
8de0a929803811a463261476a1b59d549a3dcc9cc97e7249a0992f364d7024569b90eaf4bbd9a569c69428c97e6d9042131c8ba9a97ba9a58a46d199bdd0ca11

Download Submit
\??\pipe\crashpad_2880_WUNQILFWPXNWESHU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit