socelars | ca89728f96d72931d4c9e224f1fb79abb214f09b58f6e967a2105a51e62adb0a

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Size

1.4MB
MD5

275ed964b4feb7d2d12053dd8eeecb7a
SHA1

8c33019c08529ce2868c7ed86a04a16c5046a718
SHA256

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1
SHA512

8cc6c9912dbb6482b2481d8924d4dd17aa7765b40655f2cf946b930335ec0f62cab939158d13f89155ea3ce15d2e0eb3d712fb0fb74081be5756e3d893347246
SSDEEP

24576:dxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX32Z1qsa:npy+VDa8rtPvX32Z8s

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	iplogger.org
28	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2244	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696672990069937"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
180	chrome.exe
180	chrome.exe
180	chrome.exe
180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLockMemoryPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncreaseQuotaPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeMachineAccountPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTcbPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSecurityPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTakeOwnershipPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLoadDriverPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemProfilePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemtimePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeProfSingleProcessPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncBasePriorityPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePagefilePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePermanentPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeBackupPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRestorePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeShutdownPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAuditPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemEnvironmentPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeChangeNotifyPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRemoteShutdownPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeUndockPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSyncAgentPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeEnableDelegationPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeManageVolumePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeImpersonatePrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreateGlobalPrivilege	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 31	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 32	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 33	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 34	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 35	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3752	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	92
PID 3436 wrote to memory of 3752	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	92
PID 3436 wrote to memory of 3752	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	92
PID 3752 wrote to memory of 2244	3752	cmd.exe	94
PID 3752 wrote to memory of 2244	3752	cmd.exe	94
PID 3752 wrote to memory of 2244	3752	cmd.exe	94
PID 3436 wrote to memory of 2728	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	98
PID 3436 wrote to memory of 2728	3436	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	98
PID 2728 wrote to memory of 936	2728	chrome.exe	99
PID 2728 wrote to memory of 936	2728	chrome.exe	99
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 1924	2728	chrome.exe	100
PID 2728 wrote to memory of 5060	2728	chrome.exe	101
PID 2728 wrote to memory of 5060	2728	chrome.exe	101
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102
PID 2728 wrote to memory of 1780	2728	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
"C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb883fcc40,0x7ffb883fcc4c,0x7ffb883fcc58
    3⤵
    PID:936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1332,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:5060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2480 /prefetch:8
    3⤵
    PID:1780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3824,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4468 /prefetch:1
    3⤵
    PID:2880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
    3⤵
    PID:752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
    3⤵
    PID:1592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5084,i,8284911492388252708,16228770929436508426,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
64a3905e5c90049601d037dc0d92c9bf

SHA1
2bfc0cd21d85668401288d2c6b6fcbc4c6007c18

SHA256
7de819015c7f1ecc58e45b382e947d925f2c937b956537eaa6fc4f0a1b81dc16

SHA512
0ea2a48c6ce076fdaafa80312699086dd4d8e865e278481e3c3e3c04a51f21e7e851786310479e097aaf6ec077ab4fa81a6d3b6e2b2fe47da34dbb3cbe98bd94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f4bb330d4cbbf2e9965317ac7b6c7541

SHA1
5266b8615cba50ec8d46b61778def868fd27713e

SHA256
8c0cd3f2c8e493444d0ba0e63e7423a5639e5bf75cc7c393c513066c85a2ad47

SHA512
ef24deb935d972c3f10cd2eda9063b2814ba5b22c583eb9e5e215cec63bbeb5cc9c1715bfc3cae75b33e412f1e16d05fa8b3542d40ebcf58154dfa7698ef56e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5f3099d733296cb87c06e25ac07a835f

SHA1
56d5ecde098399e5933f51165e345f3777666657

SHA256
09c02091e7230b06217f69c63921831e84c710cc682b19548291ece2f2002ed4

SHA512
1fa0afa74976e5102ab86742e7f4d027827bd100c71c89b2c1c16b203923dc51dfcfd83bf331df2a7dcd6cc1bd5fb18b187595c30e38738ffb117885e8f95bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b99d87170aa379cc8cc3068cdb09713

SHA1
249f8d37dcd99e14c79e026ce7d65b784af3ed7a

SHA256
8c299f8bf053ca1e925e2780ea32ba4c2df99e8dd38bbe2478ca91912b7e7416

SHA512
3d9dea98cd7b88b391d2667ef3fafc9ffd50b809f9f6cac148928e6822e43aa1a397aa0a758a5f2e2de1bb82064b045e9ac6effbe1bfd24a5f5432e53c2bbc55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0405f265cc7bf024931fd772d4303a8

SHA1
ce25064efbe028cbe22bcc22f363b5956b41b697

SHA256
33a86cf605885f8b43fbb12ee91fc577937e38a31bd3db03c6fec6e5ce0b7cfe

SHA512
0dbdd88ebd728300eee00c9ff3810f163c254513ee59baeefc99a0fa770253de666090310e44241cf7fd5462386f163473415fc1715e7e3ebc19da8a2255272a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4753895a5195d50a7dede474edf0909a

SHA1
bca1a679f0717537dc5fbda4d2d69de50b2197b7

SHA256
e863898aa673164bcf9082b6bf17c4b7378e46599df426a144285c7784823d6d

SHA512
833d6602b3d6b4455fc989c91396bd3ef9c4e9a2b819c132a4ea959fde57b5544981920c53e7e93b1c1bb3c7bce026eea6e80c37ce397e9d06157e7ec01a1a6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aff08b55c037699897badeb59989c387

SHA1
a98b4f97226702b82d057ced37c25d3fd4e21d52

SHA256
f412bb28cf8bebf858b22e0d693b9f907a5bf33863f9272a853682de7c260690

SHA512
1585821599f2f0cca9129f319b335e1bfb543cce5fc65b8f9b84e29302920fd9b0c3e4c6e9866b6da66cfc23ed2ecd34ff95a90c6f8c3c1a08eed43f4c5b5f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26a2670b76c1b24b4d2bc6a6c06d9a18

SHA1
95beb5d80928cc52ce6c60f293437feac3d4a15c

SHA256
b80f516eaa2b3bb14f55e45e16b61bed6170ad663c4f0bfad41b4fab62962f50

SHA512
dc6b38de0af357421807c048f5869b06862b9e568ce6e3d663aceaa90805ae419d35c8c340a401b79ebe658fd014dc83f61ba1a33ca6b408f9da4c0e257f2fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
1c86d5938c933443055027c49055e547

SHA1
1b24f51eece18379b426b05b5aed2f9dd8098276

SHA256
da90bd9376deeea5d292751c11a0e8366393fcdddacf9065cc0ffe2186c0c7ea

SHA512
ffcf409e5303f7879c44f55097eaeaaefe3d73d79213b11a034f3b5b73c09fc58b6cc57b234ce09179f0c78e5f8f1a6fff9b2f1ecfc839b725c68c701dadc80f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
08cab8b448cbe3211c275103ef606d79

SHA1
d27973ef877b2b1e15d32e7be1c4a587a74cb4fc

SHA256
64f181f274d5c51287c2bf9527e23b101ce812ce7510a9bb85d435daddb3aa6d

SHA512
8867e6dc9d58027a095f58893de52b500bae040d70a4cf392b186cfb52d3c5c4405dd68245399c18d1121992702bc99af96c2255ec1799838037529f4cd897a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
644db44b4a5746398c54d50fae5b3f09

SHA1
7089e20e9075789b66335a0f8cf511cdaaa1fb7e

SHA256
6121aefa528ab70e07423f3972c37986cc32b848708702caace7ddeaf1ed764c

SHA512
86025adeddd295b6095eb14cf2eba560d16ef928064f822772d948d0bccb81d2c0f836f27367672e6d9194cb6410b5f6646dd9738734393ad1bececd2b395111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
ab3cbc2fad95cf39f88259b837ed4e70

SHA1
4930f54f1b8e4b54da63c4a780bb4e4502e42fdc

SHA256
b77c6d17c2de4afe2fb27fd98582e752b7971bfbcbed31653d177c55502f3f09

SHA512
b040d47931235d2f7402a702a40b2d7b15fff37146852dc72443f87393ed6524be8953aeab9b1b5aad29493e94ff853875acbfa4488440707097bf30bf32e800

Download Submit