socelars | d6848b7bb725e3597cff6e9f56bebbf2f4822a7b9ed9a74d603f1a1c5b0bf617

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Size

1.5MB
MD5

8b28b4cfd5fc4e1ef82f7a96f10bf89c
SHA1

b3508ba8a9e143063f98fc2d0cdb4782fa838e22
SHA256

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f
SHA512

603d2aea823ae99f9e437cad499d91f539c833123dc525e63262662455b1a826e6840d59f64cb006a8c8e7a228848692eda4c056aeb9b6c33ac4a0bda29ee23a
SSDEEP

24576:VxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4RZ13:/py+VDi8rgHfX4RZJ

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	iplogger.org
24	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3968	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698448326582740"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAssignPrimaryTokenPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLockMemoryPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncreaseQuotaPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeMachineAccountPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTcbPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSecurityPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTakeOwnershipPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLoadDriverPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemProfilePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemtimePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeProfSingleProcessPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncBasePriorityPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePagefilePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePermanentPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeBackupPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRestorePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeShutdownPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAuditPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemEnvironmentPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeChangeNotifyPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRemoteShutdownPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeUndockPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSyncAgentPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeEnableDelegationPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeManageVolumePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeImpersonatePrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreateGlobalPrivilege	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 31	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 32	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 33	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 34	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 35	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe
Token: SeCreatePagefilePrivilege	488	chrome.exe
Token: SeShutdownPrivilege	488	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe
488	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2788	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 3696 wrote to memory of 2788	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 3696 wrote to memory of 2788	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 2788 wrote to memory of 3968	2788	cmd.exe	91
PID 2788 wrote to memory of 3968	2788	cmd.exe	91
PID 2788 wrote to memory of 3968	2788	cmd.exe	91
PID 3696 wrote to memory of 488	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 3696 wrote to memory of 488	3696	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 488 wrote to memory of 464	488	chrome.exe	96
PID 488 wrote to memory of 464	488	chrome.exe	96
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3908	488	chrome.exe	97
PID 488 wrote to memory of 3532	488	chrome.exe	98
PID 488 wrote to memory of 3532	488	chrome.exe	98
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99
PID 488 wrote to memory of 1696	488	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
"C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffca192cc40,0x7ffca192cc4c,0x7ffca192cc58
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:3532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2344 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:4132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2280,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    PID:1928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5164,i,12688059592891787010,12804589245184563913,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4960 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4604

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0311ce3905a107832772cbb80a3e2310

SHA1
d0b560fb6c432185508f11ff95a30c152d4310d5

SHA256
399df3dcd19a39d791f926ed94e1d3ba493f82bdb98ab34e6def938a1756baa2

SHA512
4045d51b0e5bbdcc2e3415cfcb8ccd212bd8e4b2e743d3d00e6e74f96c2773d1f4732ebae1a3aca8b3a87c2d83304bdc5a40b7182dbe5a4ae0c9f05e71ed9dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aca0cb5f8813ce52832babf92194b358

SHA1
7ece71be822f73ab9a668904d3feb38548a4ea84

SHA256
b4bbb1e202a9fc9db3f486916254d15f7f6622659707bc5ab39e3ce7c141392f

SHA512
fa4d53a01b42dfdd502891b197ef3fe4208adfa4378ae5e3e7b97c52abbbd7555a7643e8ff3b0849cc92abffd8bba80306f47e01b7ea249f5e706c3861abbbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
42d2592423db5446769483ecd102d10e

SHA1
58e96d021ecf99784d286491d78966df91fa92c4

SHA256
5e353886b1d60455f55c7b34954175c1c234718ec9d14e776ebcead14923c7b3

SHA512
5df134d9d7c8fbd8cf2329e848ee7a318489493700e99f1593243b8eed89d8e64f650f94c4257c846e2fcf89461a628272ec8f91214e4edb5ec28a895827be14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57f9bdeba279fea15fcd475b1f66d573

SHA1
dafcc8a7aa478a95361d4df65670820eb9c448a0

SHA256
16c5d9f4911f019b3f96429e7465947158b7fc75f72e866a431f0c155201b673

SHA512
930a2d6e4501e4942016574fc939fdc726ffba6b5c7a554cc8ce13ebad09420811cd036c92d3bc2d96e3ed8dd6aa0ac9420a419b67d97c9962a51113cc76f57d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c30e49a04a9d73c1b94215bb09c3aaf3

SHA1
60f2b20183fe707b60278a998ae9f25e4af1b74c

SHA256
9dc6f8f0462fa2c7e8bc4acc09977d9c2cc7cd76908e8eb54a80231a84f0eb94

SHA512
146473bb9d16054c8f236aa280a7aa1c69a365a8beeb9ef9f05c9249ff905bebeeefa8c0444b70223f34cfde2ebea22dfb8b22c8554e3939aad8c1abd114b1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45bffcaf9f63fb15fb64e157717521f8

SHA1
ef24d23fae2f230f440e981631c379c68177a542

SHA256
fb85281f01491b4e03b6ceda82f86f76bd83b5d06c5d68fefe432ce08834bb60

SHA512
7994115dc0958903c42955eb4e71ece7e408f6d554921e9f3082e730d85de909d9534439b2297767f231101de5c582ab8d5afaf1956f21128ec33b088f89eeda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b792bd544ee5337183b4794e029d01e

SHA1
2b92d11951d011c8ae699e16e07f19642014080a

SHA256
832cc931179196c054611dfe5661351d6f860c701ecb92f46e2ce0c7cbd9fc9e

SHA512
e2c282d6c9372a8f52501df151d0aa346ee3f1d08ca93b883536a0d3fafaeec7a30f028bfa8185d7e4de1f5fd44025021daee873abd3d5b0b81289ad1d13f0b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
737b54a09905a06432c6363f0f37d294

SHA1
8d54d399f0d48dee8dc34efa381ff76a09e56237

SHA256
683fe77d81d0c45626e194aea41492da7e188f0d67a3a24643a3daaba1ab706f

SHA512
e449352cd6971229b028635d704b55070005f871c40de6e16424dc38baaa6b3fb083055012be65e3c9d2be87584fa817401f708fe9830446ecedc81a950bf66a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
827ed833d76f1ca6affc14d97e410856

SHA1
37501501cc42dac94f0c1d86f8fe086131d51ec6

SHA256
27c751702afd3c4d8f939b5e3a6ee4e020954670f5ae94d82a31cd8a91a6e2cf

SHA512
28cff13cc260b94936e7ef677bcf2c5ee6718beda87b1645b76961de7ee61f28be7fd469d6a48ac8cf590eaba6d549af8983323139d788b777a5fd0d7c6a285d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
0e965f3fd90bdedda61021496f11efbd

SHA1
a9fab8a059a7ee09d34488e42cac2bd647c0fd26

SHA256
b375d56dc7c63299aea0dd5c2179a479a7d706a5530bc8aa8ce7754dd27a9516

SHA512
0bd82c654f08f17b26b883ba45f02ff06092c9bef8307e7957c3a08a9af59547d8eb9d7ecc7dcd6f47f720b145165c509a27878d72fc0714383c9061063a73c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
fea098b8710fd0e2ed3f8d2a9f16e2f5

SHA1
5f06e2e9aec0d90e579a24a292dcfc829199b119

SHA256
7ffa0d6a2df0d4f9de2f558626739fb49f3fe3bfab6af005dea89f5300611e15

SHA512
6ce5745e64c764bd43b3d0e9bdb5fd81d64f9eb1773b95698e07603d5d3652e97b05eaa05e25ede5083443d1d119ad8838113ed35a1bb178ac82f3097e7deb4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
44ecf891052c81f266169c874f4f782d

SHA1
6ac35d8a34c3858bcaf47db2fc2ff616122faf11

SHA256
c410d1e352dfd8848feb6c854244d82d1b579961c1d410e5cb61cf0651991bb2

SHA512
eb1910b29d499d0d09ba41a03a0b1f367718d71ba3eabb6ff0f388da2a46c8abdc536d5427fe4bb6603b3d7f9634d765872ab614be37115e82d3a16b93e42bbb

Download Submit