socelars | 13337de67eadfc62a67fd61eb5d9bd7e1b9fc740c836d1abd1eef5141abf55b6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Size

1.4MB
MD5

8283cec57699a2836b4c85785a6a2ddb
SHA1

f2af2fe2acff956329a33083161885e15ca0088d
SHA256

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb
SHA512

816fee014a0d774c317d708dcba5111fe46ab40d5b31e2b718da79f7f16b4119eeae13dc3bbc350ba65f8b71fcba8dd9ac07c6b9ec2ca0b532e885195e139b95
SSDEEP

24576:cxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3CZ1zo0:spy+VDa8rtPvX3CZlo0

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	iplogger.org
25	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2484	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696550657988145"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAssignPrimaryTokenPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLockMemoryPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncreaseQuotaPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeMachineAccountPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTcbPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSecurityPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTakeOwnershipPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLoadDriverPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemProfilePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemtimePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeProfSingleProcessPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncBasePriorityPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePagefilePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePermanentPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeBackupPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRestorePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeShutdownPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAuditPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemEnvironmentPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeChangeNotifyPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRemoteShutdownPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeUndockPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSyncAgentPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeEnableDelegationPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeManageVolumePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeImpersonatePrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreateGlobalPrivilege	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 31	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 32	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 33	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 34	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 35	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1464	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 4376 wrote to memory of 1464	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 4376 wrote to memory of 1464	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 1464 wrote to memory of 2484	1464	cmd.exe	90
PID 1464 wrote to memory of 2484	1464	cmd.exe	90
PID 1464 wrote to memory of 2484	1464	cmd.exe	90
PID 4376 wrote to memory of 212	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	96
PID 4376 wrote to memory of 212	4376	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	96
PID 212 wrote to memory of 3312	212	chrome.exe	97
PID 212 wrote to memory of 3312	212	chrome.exe	97
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 2984	212	chrome.exe	98
PID 212 wrote to memory of 4512	212	chrome.exe	99
PID 212 wrote to memory of 4512	212	chrome.exe	99
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100
PID 212 wrote to memory of 1716	212	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
"C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff95694cc40,0x7ff95694cc4c,0x7ff95694cc58
    3⤵
    PID:3312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:2984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1972 /prefetch:3
    3⤵
    PID:4512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
    3⤵
    PID:1716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:1572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:2388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
    3⤵
    PID:1464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4484,i,13670320190046494503,18358276418758971197,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=836 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6b5c93df28c3214ab576cfbf229ea7d7

SHA1
b336621854477c4acccfb4c34961b54aee925a40

SHA256
7de5e3b9e288301d9cca17298217d2eaade364f65befc10a938a32a5ec794098

SHA512
a67ecc3d6e42438df631e7d2e019bc25478acd70b93a6d7bf715d40b75843b4f98c5b0491b0c3de25d0aed334c5cfefaa8220d6be529ae23e653aa91b5a87565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8b9bcbc589b2608ef1d01521dc4deaea

SHA1
3c6ff091b79b6fc957dc781f3f0f08f297edbcec

SHA256
fe3b3cc4879bd4d1d6f1efa7947b05cd5407ba01ed84038c0099d637fe128b2e

SHA512
e491dd499a636d6630954fbb11ea5883e80265d872bd115f4e565af28e4bff8c45085241d7d699ffb7d7cdfaf392ac1c03b959f31f452bdefb35ba737e51e96b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8990639bbc173f0b5013cdbf2333ea16

SHA1
8c03255b3b0bff6d141d3d931593f200a14c6279

SHA256
3f3c6a901e16aeec389354033eb839c8bb3c7479065038d818d8341cd63d342f

SHA512
4ad5dd01d445d82f18be659868246b78dc6d08902c5147dcb5a85e77190e7caac8d853a3bbe93b7581eaea324a480c854e71ba6fdaa2741c8b905700fe8de241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2ec46a2063b7e48bebba684a86ff657

SHA1
ec355613568e4167fe26142e036047541af411a5

SHA256
6422c6693ea9af107577f5a427cd3a728269002655daae2048fd1dfd3515eeb7

SHA512
8830f57b77d823c4b2840c1bed63bf4ab155e08bc9db6dda1a8a01b2b1a4fdafa17ec34bf7cdaf25e900cc9ee00ee76b728e4b72250284e6b0ee3d3907e25a91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23d0bc92ea9ea170d332c8fcb7b28005

SHA1
3663a5540e7ac94257806a7a48a02905388d0c82

SHA256
d7cbd4c1898fc0d69368ff6a0f167f05e7b1f9f4a1867044ebdd3a682c827fa3

SHA512
c03e471f23dbbf45d0b1b917a6f2220a8e1afdd3d97b3d2619cb8aba1a03f9bb0db69c9d8dbf36198e643f28eacf95a99155d142d163e0ffa0b54d78213a870d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3272abaea21dc8c0d4ce7de96ade464

SHA1
fc1d1c01f4c2838e4a4d9fe938f2c2efb00039eb

SHA256
a06792f648b8bffbcf39793497f862835e5d37750fe02afc6e2488961a26b8a4

SHA512
52db088706d1d0ddda50cedf81729eb05b2ca355c7b3eb637de321ff18010b3643a274e1cb8d6d54fc49b764e3a625b70177ea6234457df46bd2a7ec71eb2cb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83990f3e7932c8116a21e13c76f894bc

SHA1
dae0549192dfe64fc328be86d4baec4ef2dca326

SHA256
37a3e85c22ea2f8877076b58d311f540f01af61119fb7f94e187dfc99b2a89f3

SHA512
c4df91b1144b5a7173699c4a51a717be6bf602410c69d590269d4d5ad2bf0a02b19680a18d2ee128fd4d8fbf73e17fe8857c3b2a8f347939053c6a8f15c36396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c2aa774a2ee6b3f17558b8a819e83b4a

SHA1
1b17d513c6a488543eedbf4661ec90abfdac20cf

SHA256
ac2c47a460d35cbaee0f6f3cbe8f9c31cb2a388a86b92ce352aede9065b27807

SHA512
d51916e3a443e3bfd6d340daaccacb481a08bdfd0d8be1a3d62a285e6983804b7b9ebcfc30a4748e4a2f3ea7716e1be874ad0645b61fe536c4f113299008d32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
7474d47adf69d4781b7ed33242dbc4fa

SHA1
3ca4001ef5d9798bb315277a126bfd625b9d0da8

SHA256
cc99758ed278672db71a331d3ef0317395b85e456d9f474d6fcd6976707e835f

SHA512
47270240f2034fbbdc68f7cc75bc990f231abd7565f002f8ea99cde46485cf286c180a64b077f48d4837e226afaea983ffa2e4f9257610f0ba29d2639f81d7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
3e46b762f4e0fa8e81cda4f767da2f9b

SHA1
548a2b16aff88efda9c2eddc019c9bee8421cf15

SHA256
84072f46806b7a85e17c634f89a71d3865b5f6ed407c5a174db587c863ce687c

SHA512
716a7cde34c4d8b6dc8632afd73b68c7977bc37cfb4ed3d2fd56b2f5e3874877153728dc0f493e6bc06a4c792b468e5d1c1bcec44faa7731cf73bf75f877c0a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
db382460d783c75bd1d58b13eb5e2d0b

SHA1
eb2f9897d1bc5a0844e360b5ae5bfbcea31d4d8c

SHA256
29601ece4181b010d882163944a93f04350adfbcc9a945f3ddee54e677114dd3

SHA512
98ef683cacf17aca7e397050b812e44d778d443a253ea46d41b1be862ab0c2b1e000d5ab161f0810684100921120c950f1826b7ca3afdf6110c2e9b9b6b90b89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
c27707e2866e724ba4780f64dd8c0204

SHA1
b595ce63dcfb24b1c2f81ba7f61a5e7f87b2a9f5

SHA256
b1f0b67ab96dbe1c8a12d3525a45311577063e1f724ce973eeae64a1b4ea8a32

SHA512
831e8d686e8e18c3511e988669326e6c3fe196732a8231413d619b0ff165a6bb66d9d57e22f1107512645ab6f50025543e844ef67ed9a4094005c8c8d1738815

Download Submit