socelars | 13337de67eadfc62a67fd61eb5d9bd7e1b9fc740c836d1abd1eef5141abf55b6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Size

1.4MB
MD5

8283cec57699a2836b4c85785a6a2ddb
SHA1

f2af2fe2acff956329a33083161885e15ca0088d
SHA256

466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb
SHA512

816fee014a0d774c317d708dcba5111fe46ab40d5b31e2b718da79f7f16b4119eeae13dc3bbc350ba65f8b71fcba8dd9ac07c6b9ec2ca0b532e885195e139b95
SSDEEP

24576:cxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3CZ1zo0:spy+VDa8rtPvX3CZlo0

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	iplogger.org
32	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1372	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696633822707175"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAssignPrimaryTokenPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLockMemoryPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncreaseQuotaPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeMachineAccountPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTcbPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSecurityPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeTakeOwnershipPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeLoadDriverPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemProfilePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemtimePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeProfSingleProcessPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeIncBasePriorityPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePagefilePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreatePermanentPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeBackupPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRestorePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeShutdownPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeAuditPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSystemEnvironmentPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeChangeNotifyPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeRemoteShutdownPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeUndockPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeSyncAgentPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeEnableDelegationPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeManageVolumePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeImpersonatePrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeCreateGlobalPrivilege	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 31	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 32	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 33	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 34	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: 35	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe
Token: SeCreatePagefilePrivilege	1060	chrome.exe
Token: SeShutdownPrivilege	1060	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1872	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 3188 wrote to memory of 1872	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 3188 wrote to memory of 1872	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	88
PID 1872 wrote to memory of 1372	1872	cmd.exe	90
PID 1872 wrote to memory of 1372	1872	cmd.exe	90
PID 1872 wrote to memory of 1372	1872	cmd.exe	90
PID 3188 wrote to memory of 1060	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	96
PID 3188 wrote to memory of 1060	3188	466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe	96
PID 1060 wrote to memory of 1988	1060	chrome.exe	97
PID 1060 wrote to memory of 1988	1060	chrome.exe	97
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 1568	1060	chrome.exe	98
PID 1060 wrote to memory of 4540	1060	chrome.exe	99
PID 1060 wrote to memory of 4540	1060	chrome.exe	99
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100
PID 1060 wrote to memory of 2580	1060	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe
"C:\Users\Admin\AppData\Local\Temp\466a7a4bfd7d7bd3a21da0a70eba84be27533dd1f42b44cb50b559524870b4fb.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffdde0cc40,0x7fffdde0cc4c,0x7fffdde0cc58
    3⤵
    PID:1988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1636,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2040 /prefetch:2
    3⤵
    PID:1568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    PID:4540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
    3⤵
    PID:2580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:2872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:1372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4892,i,16922175687199872359,16677593023556308779,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2908

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fd197f90b5b14b6bf7afb90dea30542a

SHA1
ed1ed63b06168bdf435a3bba88725424ccdd9a90

SHA256
c96d2443b519286510aee16c96b8637911633799f51e7cf7293bac6383415b3d

SHA512
fbb2e67a710f53dae0d2decc8554477e95e44185a3a1bbfbded6673fe1fa685da4b5abf94c19187dbcc1bca282a667b5c4178fdb9778b34f18df95a049d2bfcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8fe18958605829ad40c2d58f8a85bb40

SHA1
804d2c54739ba34410d71498ec92cb7da12fd3a6

SHA256
0e69f1676f6e9eee163f0cdd21e70f9e5a7535691b0caa4b280831d1b209d99b

SHA512
05dbcc11298a226123cdfad18adbb30b2175e76d880a410b4917b5ce1e766d42c353ef5719e43333095fa4deef2e0e4d4448dae9b833a2ef1ec4604eead6241d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e1eda4743b358fc95d94b418f0fb3ec0

SHA1
fb9db7ae6ca58f3a624f4e4348b913b1d4c9b2c1

SHA256
b13ae32ad8d94f2dbecdca6d516af85833b39f798daf1013a198a93269d9455f

SHA512
7b17865df757746474f54a9ebe1476bd61312251bbe45989a93640008c51744d7ed5c2dccf21602045b87db3ff5aaf159a05752db06e5ce07470e3eb5ead795d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49b9bee75e7a8d89c96474ed8cb2f161

SHA1
c4e0cc7b5cda681764716577f6cbaa003c9261a8

SHA256
a436855bb3e5e0f816e4f8953fd9e8e85e5df1133525218d6a65c2adfe8651b5

SHA512
f5a863619b6b3d2188fd455f76cfdf1e78f8011dd56e2ec16da01057040a6398c26f8550d61b80af63f2276052d3388dc3bb584120fdde33081c4ec650a26577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e376cb61e2945861a932af3d8042ad2

SHA1
089ec6651fe445aaf05942576b3bc388d4fac4c8

SHA256
35b47b9fcaf5102edcc33a2abcf9ebd329eb76b93864840a69c374ac302b53c5

SHA512
ed6c6731b04a8683bff6e1bb7dfe06f4e21f4d2994614751e7b26805a20c89f683df7899d230dafc4e388a725cbbc07dd6743cc69975e0aa0b68007253597417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aec88c1447cad8ee9d4147c88e4dc3cf

SHA1
2b5536c55686bb1df6d7c845875a3b813eda2bd1

SHA256
0424a26c155269d71e561e460070bf5a23a7499a49bb860017bcd39b15a7c0d0

SHA512
a0e62c097c7a45b0010a047fa99277408c9dceb58fe974dcb86a01c4948ebb462c19526f0a5aa794f59e8f22b26cc24f56cfc494902ed6fcb6dbedf58b1ac7d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff45a39a39d8fbe8fb50c6e09adabb43

SHA1
d6536d91cad6a1572b4e44d28b2be154551bf930

SHA256
aff4fc71782ec694936a5af08428049949da9c0ac21ca18c09695503db0543d0

SHA512
f5f8f034b7091c21e39235d6219391bd6c3b1f88fcf4ffa328e5e5a84e9fb773cfd13811ff64cc57a2553ddaef6ad4f58ede41526e1f0991d74bb5a406287ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e40ad7c1a6a7c51aa58cc26b42730bff

SHA1
bd96330c9905d60545c97aaffacbde17fce65f94

SHA256
66285ebfa824b1a276845616da76434f7ee9acf8abb6c964d5b76321b2869453

SHA512
17200ddf1083ad89c6659e8d1801d12090eff6586c8206a86f3687c53da572da4b67bd673bf668fdbca89ad51771c5412e590dc8c5064fe110c32ebd2ec42e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
7251efba47f0b5ab82bdc9842c06596c

SHA1
801dc19297b8316e533dbbf131399bcdff63bd6a

SHA256
b0afdb5bd20d287f37f2a1508053f7a8a468c6e09a0c6e1054283f5e11270ba1

SHA512
635aec624f52e5f18b876aa8c77d5cd1673b243ef2ca7f5d3373f0b5ad91802032cd3083edecd478c83987192e9c4ac1307c5972a77a49b0c3e143db7dc63b38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
14d7324143232953c7855b1bdc51f43b

SHA1
4227215028d7d1c21aa9cb0da02dc2236b2b9ba6

SHA256
cdfcae7ab299fa85d0abd0aebbb09571375fb2e2dfa23a810ea1424a4b8af7b0

SHA512
bbf0a1f3c283fee3992bfea9496c9ff0c9fb5a663446b9f31f5f6a9b98a8a44979782b98a9055355b29e5b8dabbe2ce0681408af41bce5af28a7384f71b5944f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
9c7ae73a8928901b9bc6c73f4c658a3d

SHA1
3052cdb369069f1491df2093d2da28f54d0c90a9

SHA256
609ba0b70a9a3fe02a69c7c2ea34bbfdd9ec6723f7609314cb727cd38a3b0902

SHA512
d1ea933188a3feb5e85be469ebc7e76eb888afa915d1dae8a37c561c0aefa8268fd362e7a8fe88c4d929459ed6ff51045d5541b726f8c2fae4124003c44559f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
eb93c87850edb3d19ac9f8558e717629

SHA1
82e5738fc590765de94ac29a71d0156abf73b2f5

SHA256
104f359a3ee6e8e3f872c1c0e0b7659a52f2d3bed2e651c0f85d7a4e557ec3d5

SHA512
3c9ec6d9d46a36ea97e9a48b48b76da628ca82caf0d573dd626fe2c2be926c6c55bebff93e3fe5816255c2194c71118e22e280daa834e2825d761e2849b38c5f

Download Submit