socelars | d6848b7bb725e3597cff6e9f56bebbf2f4822a7b9ed9a74d603f1a1c5b0bf617

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Size

1.5MB
MD5

8b28b4cfd5fc4e1ef82f7a96f10bf89c
SHA1

b3508ba8a9e143063f98fc2d0cdb4782fa838e22
SHA256

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f
SHA512

603d2aea823ae99f9e437cad499d91f539c833123dc525e63262662455b1a826e6840d59f64cb006a8c8e7a228848692eda4c056aeb9b6c33ac4a0bda29ee23a
SSDEEP

24576:VxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4RZ13:/py+VDi8rgHfX4RZJ

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	iplogger.org
23	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
428	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698102189245463"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAssignPrimaryTokenPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLockMemoryPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncreaseQuotaPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeMachineAccountPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTcbPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSecurityPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTakeOwnershipPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLoadDriverPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemProfilePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemtimePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeProfSingleProcessPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncBasePriorityPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePagefilePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePermanentPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeBackupPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRestorePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeShutdownPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAuditPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemEnvironmentPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeChangeNotifyPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRemoteShutdownPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeUndockPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSyncAgentPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeEnableDelegationPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeManageVolumePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeImpersonatePrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreateGlobalPrivilege	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 31	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 32	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 33	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 34	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 35	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 3684	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 3428 wrote to memory of 3684	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 3428 wrote to memory of 3684	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 3684 wrote to memory of 428	3684	cmd.exe	91
PID 3684 wrote to memory of 428	3684	cmd.exe	91
PID 3684 wrote to memory of 428	3684	cmd.exe	91
PID 3428 wrote to memory of 3284	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 3428 wrote to memory of 3284	3428	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 3284 wrote to memory of 624	3284	chrome.exe	96
PID 3284 wrote to memory of 624	3284	chrome.exe	96
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 3032	3284	chrome.exe	97
PID 3284 wrote to memory of 4288	3284	chrome.exe	98
PID 3284 wrote to memory of 4288	3284	chrome.exe	98
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99
PID 3284 wrote to memory of 4456	3284	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
"C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fb0ccc40,0x7ff9fb0ccc4c,0x7ff9fb0ccc58
    3⤵
    PID:624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1684,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3860,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:8
    3⤵
    PID:3048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    PID:736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4760,i,17564065739772890691,10627822347887895904,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1152 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aef26ca7c57b047b58df7f2768cb4ec4

SHA1
2feec68e3ba382ab1baf1289349133b4d230c07f

SHA256
8b42668782ceef6d308d1141057d128e167ab4a97100fb8f064ece82da3eeca5

SHA512
19514ebdd34c1d84477f4db48fd722762347c68ffc6b784c7492ea919893aab4bc13ddcf42bdb441f41ca5e2ca070edcdc63b503a0838486e9cf06773e51cf34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
57a194ba2d778df87b9c5f6208219bab

SHA1
5c5b3b6b5cf68b9f7243aaa882ed9e0ce5049948

SHA256
f59027e3698ad35e6305884841d3d3fc111f20ec60a7246a42dd8080b4d6bc19

SHA512
ea0ae094944212f9060b5f0629ef7ad4ee6c60b92993ecfe5a36a0b2ac13e078aecb9128eb698409ea4da9cda647ebf06cfe2ed41ec265ff7377d87c88f216f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
81e839adbc7d9555f5c1012368483ff9

SHA1
a55b4c71a4d4750f72ec5cf7eca2c55d569b787c

SHA256
5714fd9d42633583eb3aadb0bdf9e37fb282fc57ae9d7de2a016f1ac722c9b97

SHA512
2fd261d7a3767bfad4158754d58aeae778f1e2177b2988abd41f14811c431745491228dd70706fbdaa5d8c36b6cf416b16c9a2260b82697a957b7998d29e8a93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4739292c07cc58682335aa5ed6036492

SHA1
8466c922f705c2e2b66b8cdbbe0b4df8e64f3b77

SHA256
8bb46610736302ffd24e9d5885e2a1f5b0b500a6a95fd3098dba1445fe935dd3

SHA512
85233b0814087c5ebcbf274c2505c67d1dfe77887d25b261cccb909bc0a626dfff11dbdec4eb11951e90c2fa6d9120f829b2a464747420072b05d7133c64a3e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e77b4601333f6fb2114e0f11b9b0c7b7

SHA1
eec4d52c9f7452368f3bdd180c705b339d4be5aa

SHA256
8686b339df768e4f7524153b3e2e815d34c2086421aba392cda2ef9ba038ef1d

SHA512
f4dd65901dee9f277968d9a7f121aa9a4cdca733dd769a91f6316cd80b8cbbaacbfcb367e840e8cbdd481ef7a14096be33048579f22f7a1a7e6c8d0fe0d52e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc31da1a520b161866d94dee98e13a6e

SHA1
4d53f91e475b1cb8b558071fcc5c647895ac250a

SHA256
504e93fc4e5156c327f7254af824b1b7c79e1d4e58d38b2770b819113ba929e1

SHA512
727519c8933c1eea791c9f80d04c8c9b1562124a579ec25ef037108b303152ee5a622f464f04057416abac3c45374723bcd87ecd74ea6bf5b97239359c262380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a67dfbbd848b592307f1ac86aa331f9d

SHA1
cf14d21e5dee3a6c2908f67563ee741ca74a7284

SHA256
2b12e6cfb8ba649714f2d8ab04b05bcd0cbdca9f71545bd16082e4fa6c86b95a

SHA512
4b0e6768cde9a6c3659a8db5bf7408a53555843c07c3c9d7189ec8581b7cb5ef23a99a3dddae9aa6e0c238516489b86a006e8f81dcf783d5335b883370b742a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ddd85f9254e3b5a53e7c4afe939721d

SHA1
c7a43f1090e08ac375ac14648b1f9da940e7e7fd

SHA256
aa183c7c33e48149a3914a6b664bef1c0bb525172f89623224a6bf4a70cf0448

SHA512
36342b796a40f50a24ccd9a1b647ba5b05e05d3a6a41d04561d9021002304f17a897fa59c1d2dfa75a9406745a0d856400f2cdde3cef04098e8810b5a214e08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
7db41601fcf0a0764682be0ee2387589

SHA1
eb6f0e06030a5ce212afa4a689b76daf39fa13e3

SHA256
6224dca19bddd390c60a58d219987a9f2d737d9bee15e67417c106303be1d793

SHA512
3bf30bd301ca51d9b5c2f0b06e579b1790fa7e51e61ae90e7aace35cd9344fea5ceb46eb28348e3f93f6d908e1143dac8cd2f2e38d153934970206777ab4084d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
cf5a05c1e9dc82acdd591047663d7765

SHA1
0ce813c64b429782263facbc11cb595794221e6d

SHA256
7ead30ec129217064a9ce9763f1d90388aaf9a6088fe2d17c8988e64a34cc89e

SHA512
0eaadfa65469239e1b84c4200c6dbf10e93e38267b03f89959582ed8be11ea5ed65d0abcb9c6e00a1f257150a341a2c4aa0300b7b7972743c904d59fd33533a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
d3754b284a094b852f4e0532c25dc1ac

SHA1
68a8b65dfb2c43df54570ac93f5579ec03671cc0

SHA256
dc7f1230aceba333ab11aa1801fc87051846181603a5e77b540dfe03add544ce

SHA512
85e361f3f26e8f3b4fb249d47d310048236fa824930abda99213fabab8c824342646d6f4a94b131ff957188e7d2c54c4cfd633c4a693172d4e315ed8e56bdbd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
a9db2d41f356600a10daacaf4e3d96ca

SHA1
3373267ddb97dd69bc801efbf4351d8b0b9c966c

SHA256
f6bf61caf4a989ada42714ed2fdca7945d6cfd81679c341e8c31d906ee71b515

SHA512
2dc78668b62a5ccac275c76bd130159c73e18e0466ba77b14d5b6637b1264fd0e144847c95114d43b6e354ca169b9121419cfcdde930034a11c75ff9a11aa514

Download Submit