socelars | ca89728f96d72931d4c9e224f1fb79abb214f09b58f6e967a2105a51e62adb0a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Size

1.4MB
MD5

275ed964b4feb7d2d12053dd8eeecb7a
SHA1

8c33019c08529ce2868c7ed86a04a16c5046a718
SHA256

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1
SHA512

8cc6c9912dbb6482b2481d8924d4dd17aa7765b40655f2cf946b930335ec0f62cab939158d13f89155ea3ce15d2e0eb3d712fb0fb74081be5756e3d893347246
SSDEEP

24576:dxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX32Z1qsa:npy+VDa8rtPvX32Z8s

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
30	iplogger.org
31	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696588592965143"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2168	chrome.exe
2168	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAssignPrimaryTokenPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLockMemoryPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncreaseQuotaPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeMachineAccountPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTcbPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSecurityPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTakeOwnershipPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLoadDriverPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemProfilePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemtimePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeProfSingleProcessPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncBasePriorityPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePagefilePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePermanentPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeBackupPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRestorePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeShutdownPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAuditPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemEnvironmentPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeChangeNotifyPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRemoteShutdownPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeUndockPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSyncAgentPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeEnableDelegationPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeManageVolumePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeImpersonatePrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreateGlobalPrivilege	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 31	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 32	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 33	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 34	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 35	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.execmd.exechrome.exe

description	pid	Process	procid_target
PID 892 wrote to memory of 3876	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	88
PID 892 wrote to memory of 3876	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	88
PID 892 wrote to memory of 3876	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	88
PID 3876 wrote to memory of 2100	3876	cmd.exe	90
PID 3876 wrote to memory of 2100	3876	cmd.exe	90
PID 3876 wrote to memory of 2100	3876	cmd.exe	90
PID 892 wrote to memory of 2168	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	96
PID 892 wrote to memory of 2168	892	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	96
PID 2168 wrote to memory of 3028	2168	chrome.exe	97
PID 2168 wrote to memory of 3028	2168	chrome.exe	97
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4768	2168	chrome.exe	98
PID 2168 wrote to memory of 4892	2168	chrome.exe	99
PID 2168 wrote to memory of 4892	2168	chrome.exe	99
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100
PID 2168 wrote to memory of 404	2168	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
"C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8071dcc40,0x7ff8071dcc4c,0x7ff8071dcc58
    3⤵
    PID:3028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1952 /prefetch:2
    3⤵
    PID:4768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:3
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:8
    3⤵
    PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:1
    3⤵
    PID:2656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=832,i,10433979174863440736,9495390549155713686,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a68ca51602c607485cd6d7da5e46673e

SHA1
7dc5136eae75dfdf9e9706b0119aaf90dbed8b90

SHA256
649e485f0164563075bbff5da1e6ed4fabfef3724d4bf68fc9a20c3478296626

SHA512
07dca4442a25982ea5d200deab99afaf2050a6745a5de141abf0547ded35f6288d3019b4c4924c5f9fed9f383bd40cb618da3a4a475aaf5e6678bd5f814bab05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\859b2b1c-f021-4282-861a-8009e2c61d8c.tmp

Filesize
1KB

MD5
a8c09d8e64cead7202ee1b055a3051f6

SHA1
4e322262b5b8ea59cd357b267676b2a9220e619d

SHA256
820699df94a02f1705ed35f4694b46f032f90e50259d771f425697a948d7f924

SHA512
05c3109846a7784ef4489c655d1759e0a06b7cbf76a39bf3f619a6244406d4bf3c7e131885c029cc5a78c78a78bb6205f87b80b1bfc472bc37a553a179f12fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b4ef9737183d55e3628c3bcfa6b1678a

SHA1
8da51cfa275b0db0334ee5d09add8a70cb502287

SHA256
2836da58c82b9f5362326ab8f57a5d5d99d600217a208be3452646f09d6768db

SHA512
60564eacd5575567170389b9455e800f040cdf93b8cad8b723fbe3d6a36675419d02a5fb93f3a1067bbf8771c41b445088000969e19d4f8569a3113125606a41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fee4214a3d477e4de2245778804f24e

SHA1
8207f3d676d885d50435fceae7abf42ccdfd1b57

SHA256
76ff3cfbe3238e142b0122a23d2850600973812175f3cbd613de290b6d52dfa6

SHA512
f86624f2125a2e9855dc0f3e1d557645874b9a239de04601a7c83a206dcbc826d1ae66415d25e8a37b4888f1a684aae3b9830adce20f4bb3f12c09b9d81b82b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6872f540d05a0268fdc9c8dadbe2d6e5

SHA1
7934a89ef7f4ee1fe495adf4b92178f8b0d1b14c

SHA256
229c01a2d987067cf037bd9c98642d71c64bef2a530fab602578d3508957e188

SHA512
7d0f16385c21796ce55afbfb96182dfc9f6b805b4d0b4eda92aadc1211deaa401ad3a28e4154249bcee72e425c6762a546df3db36d9f4cfbac0b7117d555185f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5346ff4a454283aae9f4d51a10bf0a76

SHA1
e55e3a949970fe76c51a6b0c5a6746299d56ad75

SHA256
6f7d1f49ea77ca8efad5b1dcc6533df1be76b5718eae215158e1115450cf50ae

SHA512
7ed26217d307285e32cec5ccab6c55b3842d4eee3d5bfa20c41fa9293d3497910f5ca3b37bca3cd36716e9a4e996f3226d6e3b11afadfbf77cffd81329a1ddd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af53d2e81c690673df0afd137b4be787

SHA1
b87187139792265119cf6b6336c324db786e19ea

SHA256
2172ba5130df057deb9ff3c26b182172a0af703b402f75bb70414c69523fba04

SHA512
12df73f3477b9a7437f1a5a261a70f3aba4ac6467954c9083db8920c9455cf2325bc4f96adf6e68692201e5cc8abfae94def54bf2624c47c88e34e504a811c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
827ed833d76f1ca6affc14d97e410856

SHA1
37501501cc42dac94f0c1d86f8fe086131d51ec6

SHA256
27c751702afd3c4d8f939b5e3a6ee4e020954670f5ae94d82a31cd8a91a6e2cf

SHA512
28cff13cc260b94936e7ef677bcf2c5ee6718beda87b1645b76961de7ee61f28be7fd469d6a48ac8cf590eaba6d549af8983323139d788b777a5fd0d7c6a285d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
3b73641941b21a750d4c8244b4f8e03a

SHA1
6acf58594810f6c361748640005a133779d85acb

SHA256
4d8ef926177de8304463fe31a1e9c9c08fc10180d6b4120b801f54dd04e8ca56

SHA512
4c91f70fd4108ed0c75968d91f6e36a52f7aa16e2dcd27e005fa82244d13208eb1a09f364e82ddb04c58b128232046a2b6105947b1a307c89c38f01669db4e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
0b1552c35399d183240da3d3e22d5de8

SHA1
75d2477b76128cd4226076e3ff3955cfda3a97fa

SHA256
bbbf492cda9263d204fe6d712e14df1aaca7dc848af99ad1c03f15d140fbc895

SHA512
42a9a34e0829c70148c2b6060460743928823625e37a488f6acec48e99f253359f9179735561ecfe6b5c1580b329fe1db92ead49160cc865d99b1f72008f1ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
8f904952ffb01dfb74299fafe2c9bcbc

SHA1
5d5be5ea5fba11eec30253a5fbea09892f34da11

SHA256
2b6a558bdb16420e53cc6a222794fce84bd5641446a331f3face5d0f476ac21f

SHA512
fd25fe45e0b226d286880508f23b63b92e52dcba44a05438c7dccd5440ccc954de9a9e6859542e3539594b011416ba9c8bd5bb35d9f61a73d0cc146d30b06b54

Download Submit
\??\pipe\crashpad_2168_HFUNDUZOTKTMDIZZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit