socelars | 74e0fb6835d90478acdb772f26fe1538f244ecffb49394234ffc8e44dba80cec

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Size

1.4MB
MD5

7330398e4bc7afd3740c804362ec8a99
SHA1

02fb96618ba3c6ce8d82b511883fa3d9b99ca935
SHA256

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32
SHA512

812fbf165de8c209b6eeb7e3aff11c1740f30d518329bcc78a472cebaee1e59c2b6c0ef3388aba53bb1901d3318ed9dc726c447a1009f74f98352ff4fedaf322
SSDEEP

24576:3Rp2fYlh5hJYrsWSlTeTmvL2aIZX8W6jO2kkYOnbXgwpVg/:hp1v1jC5jNTOnjjp2/

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
26	iplogger.org
27	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4036	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698060628350850"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2612	chrome.exe
2612	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAssignPrimaryTokenPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLockMemoryPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncreaseQuotaPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeMachineAccountPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTcbPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSecurityPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTakeOwnershipPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLoadDriverPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemProfilePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemtimePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeProfSingleProcessPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncBasePriorityPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePagefilePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePermanentPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeBackupPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRestorePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeShutdownPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAuditPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemEnvironmentPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeChangeNotifyPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRemoteShutdownPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeUndockPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSyncAgentPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeEnableDelegationPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeManageVolumePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeImpersonatePrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreateGlobalPrivilege	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 31	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 32	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 33	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 34	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 35	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.execmd.exechrome.exe

description	pid	Process	procid_target
PID 2844 wrote to memory of 392	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	94
PID 2844 wrote to memory of 392	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	94
PID 2844 wrote to memory of 392	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	94
PID 392 wrote to memory of 4036	392	cmd.exe	96
PID 392 wrote to memory of 4036	392	cmd.exe	96
PID 392 wrote to memory of 4036	392	cmd.exe	96
PID 2844 wrote to memory of 2612	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	99
PID 2844 wrote to memory of 2612	2844	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	99
PID 2612 wrote to memory of 4884	2612	chrome.exe	100
PID 2612 wrote to memory of 4884	2612	chrome.exe	100
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 1416	2612	chrome.exe	101
PID 2612 wrote to memory of 720	2612	chrome.exe	102
PID 2612 wrote to memory of 720	2612	chrome.exe	102
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103
PID 2612 wrote to memory of 1252	2612	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
"C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f232cc40,0x7ff8f232cc4c,0x7ff8f232cc58
    3⤵
    PID:4884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:1416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
    3⤵
    PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3688,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    PID:3832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
    3⤵
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5064,i,12403495277477518755,14952870648530148786,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
19c95f315bde2293b28dfbcd5de1df05

SHA1
eeae6625ee9e58b37ba92d9867283d722b273160

SHA256
41f66fbe21bb25271afa35015e8e05d764958a0dacb03804a84ae58d98463133

SHA512
11626933d83b4c1bcd883158c8f14f98c29b5a8517228100b42662afe0f58b3105df5993550694b62c252575e5ad9aadca95adba490ce6d92caef91f76a88c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
16f327ca87f86eb779b9b7626421ae44

SHA1
3a409ec14b0049a2aefba1d11b512043d7d177f0

SHA256
98d5b75d6700c076ddf3eaac7185c59bbc1e869b2db23ea20e8bb193b8e8b3b4

SHA512
75b13d00fe147cd7b1abe0b264ec9bab909fdb77e4c0e22a535440a7bcb12c598f76372e12774fce48f3b2527ae629495d9a467e7acb3548bdffa431339c9a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
c7305f321f5ac63c843b1fe4fadda047

SHA1
32ee70a911fc2941be4d71b3e669625b4fb89fdd

SHA256
2a58dbe6363b18de8a9ca9b0c813545516f1d356b4c9ae264221691efa474f35

SHA512
225bf57d816959dd2b668c1cdecc0bdee9df4264eb9eeee560559a107d588ded4e47369d5c72d6e84b8fe3b3fb3e9aefa300c97427572df0d3d0664c461d8884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e603e2ab550c38ccb7a2079774295459

SHA1
38abe33850758c4c783093f0853033fe2c76767d

SHA256
247fbaf846721b6f13ce8e4a5010183275d08785ab36dd0f86b3862c8e6988e2

SHA512
c88427e5947f64434d95ff847c0ca6b8f6e65fdd700167c787a71bcd6fe7c3f9c6c90e19d29da8e262223a779401f55eb26039525be4fe3b1fc64e53bbf93912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
28cee21b91f09c907aba547d8d264d03

SHA1
9e083935611ff08ff23f433be9a4e7658aa9d662

SHA256
1f396df82d985860fc36d06fb9dee372079c40f595e5adfeb8fdba9212bbeae7

SHA512
d79df0739fa468f9e6cfd0cb994afc2c63023ccf203073c9058c6338ca01eca12e25177250527bb92f1c9c8addae4132a0a329b18ca8e5e25315a0fda065a12e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b6f53579c0ea55ab449151f2ccefd4a

SHA1
f4ea7add359d2b146c9b77bce4c29120b75c13aa

SHA256
428d190307d62b213271315a12b689d04e092049e334d0fa53905f235c5d0fcf

SHA512
bfc014f5e91c55219cfe165cc688d23c4b1181ac4b423867ab06e7c4567744c9db4cb4dc36cb04b131be7ad953abd0d64b86441b4b940d043837e2bfd2d20b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aa0777e67d7c33444c66882fd32c422f

SHA1
814c41d21c5a650d7d05c9cbaec246a1d39fe986

SHA256
f73ebf1bddb679929cbbacfaba1b0439c99405a953506d1a7befc16555954321

SHA512
bb5c870e9ba2b1942ca497af895a91c2a4d3053a095d511ccd48a2a105b72c5da1502e2dcc51162390b2135abdb9cce96cccdde8c30a4de6253e48bf5ee4930c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4a18fea116f525613791351974fa8fd

SHA1
7a2679fb375f4df36c0027fcd13c99155998ba47

SHA256
83aad805cbde4de0e59da376c9b8521409757d29468ecaa5b98826a9f04b2b8d

SHA512
25a43fd723f4aa5d63e2491c33fe27e4dbdc935532c68d8da95e3567192fd8636129e846ebce71da5fd67fefa29417c1e9e591ad91f243106ea8d13f225da0fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
14d7324143232953c7855b1bdc51f43b

SHA1
4227215028d7d1c21aa9cb0da02dc2236b2b9ba6

SHA256
cdfcae7ab299fa85d0abd0aebbb09571375fb2e2dfa23a810ea1424a4b8af7b0

SHA512
bbf0a1f3c283fee3992bfea9496c9ff0c9fb5a663446b9f31f5f6a9b98a8a44979782b98a9055355b29e5b8dabbe2ce0681408af41bce5af28a7384f71b5944f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
ca721f37959818d39c1b6949b46d21c7

SHA1
c3ba56b247e77ec515d8d991eda29484032f7da2

SHA256
9c73fda7f816fa15a501a85d698fec6bb4646ae992b5892dfc73313bf7e34214

SHA512
72a800caa3e9ff38c603107018f59797066b34637aca790fc8bdc863ea721f248c65ab77779c51e226ff40699d7a5c85e23f56be53ac86e3e3ed34dae25808c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
607a115b1f7f6fe422bf188e51d1585f

SHA1
e3612ce7aeaeff436618cb6dd7fd2be6fd1b75da

SHA256
f19d9b11aee17fa4125ce0f72749b821125de2ffe254bba0d7933c7330cbe40c

SHA512
6a4dd7c3afabbdb6d5eddd47d0655c6fc8b4bc6b1e6852d9e7de1b6d77e742fdac7082049df0a54c98177b18f38aab016cc78d7711c6fcf91546d5075471f401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
5c45193cad55da10a6a21a9a6e1c7541

SHA1
7bc7df841c5d2b2281b7609bd14ab1125d87b862

SHA256
10909f5d2a15963a6e0870693bffdd55b293a4ea60476f6c6e156696d5584d4a

SHA512
3eccadea2c539edf62f3263785b42e1ac5c1b2fb8bd0ec8c3f48614965984c0771c7531b18525dd487afccd3eb4ff20961d0b3a144d2433ba5db35d0911207c2

Download Submit
\??\pipe\crashpad_2612_MDDBDBIJMUMORLYH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit