socelars | ca89728f96d72931d4c9e224f1fb79abb214f09b58f6e967a2105a51e62adb0a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Size

1.4MB
MD5

275ed964b4feb7d2d12053dd8eeecb7a
SHA1

8c33019c08529ce2868c7ed86a04a16c5046a718
SHA256

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1
SHA512

8cc6c9912dbb6482b2481d8924d4dd17aa7765b40655f2cf946b930335ec0f62cab939158d13f89155ea3ce15d2e0eb3d712fb0fb74081be5756e3d893347246
SSDEEP

24576:dxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX32Z1qsa:npy+VDa8rtPvX32Z8s

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
17	iplogger.org
18	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4672	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696982957707745"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
816	chrome.exe
816	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAssignPrimaryTokenPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLockMemoryPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncreaseQuotaPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeMachineAccountPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTcbPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSecurityPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeTakeOwnershipPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeLoadDriverPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemProfilePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemtimePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeProfSingleProcessPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeIncBasePriorityPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePagefilePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreatePermanentPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeBackupPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRestorePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeShutdownPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeAuditPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSystemEnvironmentPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeChangeNotifyPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeRemoteShutdownPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeUndockPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeSyncAgentPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeEnableDelegationPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeManageVolumePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeImpersonatePrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeCreateGlobalPrivilege	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 31	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 32	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 33	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 34	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: 35	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe
Token: SeCreatePagefilePrivilege	816	chrome.exe
Token: SeShutdownPrivilege	816	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe
816	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3864 wrote to memory of 3712	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	89
PID 3864 wrote to memory of 3712	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	89
PID 3864 wrote to memory of 3712	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	89
PID 3712 wrote to memory of 4672	3712	cmd.exe	91
PID 3712 wrote to memory of 4672	3712	cmd.exe	91
PID 3712 wrote to memory of 4672	3712	cmd.exe	91
PID 3864 wrote to memory of 816	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	97
PID 3864 wrote to memory of 816	3864	82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe	97
PID 816 wrote to memory of 1760	816	chrome.exe	98
PID 816 wrote to memory of 1760	816	chrome.exe	98
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 2696	816	chrome.exe	99
PID 816 wrote to memory of 888	816	chrome.exe	100
PID 816 wrote to memory of 888	816	chrome.exe	100
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101
PID 816 wrote to memory of 3440	816	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe
"C:\Users\Admin\AppData\Local\Temp\82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bc16cc40,0x7ff9bc16cc4c,0x7ff9bc16cc58
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2012 /prefetch:2
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1704,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2500 /prefetch:3
    3⤵
    PID:888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:1732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4364 /prefetch:8
    3⤵
    PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4428,i,1443371658783866542,10960502975855791084,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2656

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b9c78d1f6d5085acf676430c43f895c3

SHA1
96c63afbaf8901df363241c0421d6317f64c45c2

SHA256
572eee777a5479276ef1de6a1da100f8d5df49d2811bb9110d49463688aa7094

SHA512
f93745a7f4552551fa4297d15c42e548701e9091761bdcad2f29986ce3dc827296dc25fb25d4ea914c19b5c300f5f3430a76ec86963c623e21b657bda669af9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8d3719c57b1078e0f66bbb82f324620b

SHA1
0b1a1e39f12a6390a1f9174fcc40f078ad56d121

SHA256
f8fc5312f36501a1b9a801e16685d838fb4da6098f47cfeed4428cf077dee742

SHA512
70829d6fc7cc6585b54aef922e67f1891fecefd82c960562bab89efd5ba8ac4b11fddd3aea2184102b196f82519101d6fa376a8814a746d5baaf021de26ae7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
26a96061ffe39907502d450f364dc06f

SHA1
82b73af47258dcce3b2e2943018a444f18564fad

SHA256
f25ae8a18fa5654507575c8aefc986fccc2d86af22dd988064a78822eb65847f

SHA512
35749c671b01ee6ef7d4d12991935c0693149f618db7c561a8286617be3f069ac322dc04a95b6c72314aafd3b7719499f5504d5fdb761e0ba9f26c62cd7083c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d30facfebb8cf68d02c7436153c32593

SHA1
23a8beb9da15c77f47e1b67f874df512de5116e5

SHA256
e9310d788c83a7e48bbc13ff18ffaf0ff9efa017903060bacf497018183e8065

SHA512
417254262047813a2a16a17fcf2394ad656c58a268e26200d46132ed99949a485614b745cb470c872b716237b29cb73cbee86b9746177210a629871104dbe01f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68512627ff4a68e175aadfafaede1fc8

SHA1
0feb1689a606fce2f91620f0324fb4d249388258

SHA256
3a27a913c5432f3cb362a941e744aea47db249a1537ec65cd0f544a2b4fb9ccd

SHA512
cb1a7255cab0b1b33667b8d04d4ad156c2d460e0795ae172bf880263598f239df4fb4e73413b93b0aa5a3e379319163af93b6b4c70cc77d668f069539ee8ae58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43f486f5cc2783ad69e740503ad1e65d

SHA1
c6f1fd98927657e29c5469e3c4c635846f6fb6f3

SHA256
7cb964f7214550dbb4240b1e07c209127b66197d3504fcd5119f153e8c84eec1

SHA512
fa6de578fd069e378ac105db3aa76f2ddf853c3c67aaa20316f563b98a0211595faf07d39f5d569b894f9ee8a5b6c86a31c114f6bfb7b7bded512f313313c17b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61a3e70cd5b74ab0fd09984a5644deb7

SHA1
a3d03b150a1b9fa23fb6dc78ae1c33fb2a76c4e1

SHA256
d23c2380d0ce63ee24b4572ec89964e360b356174b2e76517a645e61f612a679

SHA512
01e75e111e175f63884c80e60820e7586f0b49ca7e2810a74978a8cf31bd39adacad77db32bb23b5ba18d3cccaf03283651521b9b0c92f3faae0fbc7047521de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
25c4e86cbe90f16999e348c3bad49597

SHA1
a85be76cba4c7c190206f9e6c169c5fdf4d8bd30

SHA256
aeb07e2516d97690d4e496110a4cb0c3c53c2c8da7194661c3fb92318ee54f78

SHA512
a8d75a408a27aaaf79ef6068ec58209973ffb4c31a3c8407d1cdbd421ac2f69dbf42d9bf9650c55f1ef270373938b3c98a03d897db1eb040560b6f943cefddc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b603045b2a6a7e6048d7a6011e578f6c

SHA1
a99e0b0791ac8bb56ad815b94168eebcede9fd21

SHA256
f0406e7f428f56e8fa524aac622432c64eb7c8c215c5aa142e83e5afd104dfef

SHA512
5788067a3f1108b83c24deccb7ad3cbbf87ab9ed9378de49f13ff2a415d42436aa28aecfe6dc261724ecbf8092379fc89e204a83154542bdf8a330b60a395050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
eb2fc6cfdf7c193e9276f097b0c78081

SHA1
b27bb2a710e085c0866904b5c4726ce3f847a867

SHA256
2e6f081b7bd00abe46835f28d22b1233b88afd45bf6eb66af2ae62688a156836

SHA512
21dd49425a77373c46d5d27e9df545bed10e59d7cc45414040522034a1dafc26bb1aff0d8d407bbf709ac6995396c4e1c6fd0513c542531ba90bb9c8ef980e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
802e792401b8403ce7f1a23999520cc5

SHA1
0a6dfd426e48b51ca677210ce901ef6fe65c2a9a

SHA256
0cdc7f97f97016ddfdfb2aecfa62d51ae5a51b2496ed58992fa534a22d518000

SHA512
3edb39d0d5811274f92f1bf3dc571d98ef10e5d400f9237b3face0141dd3c6f9f99a600377929fa7cb76f35af1597f7f6971e009537e31b71020a39c4ef1c3fc

Download Submit
\??\pipe\crashpad_816_DOZXKDPJTLCXWSAX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit