socelars | 74e0fb6835d90478acdb772f26fe1538f244ecffb49394234ffc8e44dba80cec

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Size

1.4MB
MD5

7330398e4bc7afd3740c804362ec8a99
SHA1

02fb96618ba3c6ce8d82b511883fa3d9b99ca935
SHA256

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32
SHA512

812fbf165de8c209b6eeb7e3aff11c1740f30d518329bcc78a472cebaee1e59c2b6c0ef3388aba53bb1901d3318ed9dc726c447a1009f74f98352ff4fedaf322
SSDEEP

24576:3Rp2fYlh5hJYrsWSlTeTmvL2aIZX8W6jO2kkYOnbXgwpVg/:hp1v1jC5jNTOnjjp2/

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 iplogger.org
24 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
23	iplogger.org
24	iplogger.org

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetaskkill.exe17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4020 taskkill.exe

pid	process
4020	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698448391544928"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

668 chrome.exe
668 chrome.exe
964 chrome.exe
964 chrome.exe
964 chrome.exe
964 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

668 chrome.exe
668 chrome.exe
668 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAssignPrimaryTokenPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLockMemoryPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncreaseQuotaPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeMachineAccountPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTcbPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSecurityPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTakeOwnershipPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLoadDriverPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemProfilePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemtimePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeProfSingleProcessPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncBasePriorityPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePagefilePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePermanentPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeBackupPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRestorePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeShutdownPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAuditPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemEnvironmentPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeChangeNotifyPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRemoteShutdownPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeUndockPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSyncAgentPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeEnableDelegationPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeManageVolumePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeImpersonatePrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreateGlobalPrivilege	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 31	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 32	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 33	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 34	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 35	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.execmd.exechrome.exe

description	pid	process	target process
PID 4832 wrote to memory of 4564	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4832 wrote to memory of 4564	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4832 wrote to memory of 4564	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4564 wrote to memory of 4020	4564	cmd.exe	taskkill.exe
PID 4564 wrote to memory of 4020	4564	cmd.exe	taskkill.exe
PID 4564 wrote to memory of 4020	4564	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 668	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	chrome.exe
PID 4832 wrote to memory of 668	4832	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	chrome.exe
PID 668 wrote to memory of 4316	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4316	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 216	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 2328	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 2328	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe
PID 668 wrote to memory of 4320	668	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
"C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff965d9cc40,0x7ff965d9cc4c,0x7ff965d9cc58
    3⤵
    PID:4316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    PID:2328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:4320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
    3⤵
    PID:1136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
    3⤵
    PID:3224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,5201210746560429159,13418997524969271852,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4776 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8
1⤵
PID:3580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
293e5bdf6b67b44713a08d2ea4bb2777

SHA1
69c6962e685c747981ffa112cc24036f477ef58b

SHA256
c434df0a50f5008fbb2be2c25c5c90c7b7e86fd237e20a548562e6aeb3b14dbf

SHA512
c6ee113f8ab74e29c2d24019a8293893ed6f0211bdad1778c99abe605cc039af3c077b303673808d533718c243a8fae07f0408a302a25fdbbebb239cb23f2a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d9c9c44862f4fc46cb5283ddd7a3fe92

SHA1
30a3b4e428e93c2882a67d8f91cc47d8f9b08736

SHA256
dd99674675e2685c8779da8886b1e6538792ebae75c81f3c0c83d54170a4accf

SHA512
c2fbdf15887ac4488647d7021153b53147856be62f47a710ee1541230c15d1876dab52971fa69b754c8fa87aae4fb0281a464106e65baf609c3f926a97096605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c73c9d79a15a6947bf545c14668d2861

SHA1
49c6ea06d5fbfe3cc68b3f6438d7029c36692a0d

SHA256
3524492750e1323b51c9bade44c070cd96fa2e5a5161ea397248bf3c57db9418

SHA512
1a5d2a8a23301dac7691fb975e89e05f8f046802ce8718afe778291a6da324dc85d276e11f0bbe440b72b5e619d3cefc5aa075ccbf9c0c8b9c3759c5d5a1796e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e110ba33b6a9b07758a8a397b900613

SHA1
d900ddad8a6479fded1d53729cd3c04d7ca55d07

SHA256
2f6d4c1550d78823ed2d6295cb3e5e4cf7e66d8069650093d6bd152f14bdb014

SHA512
77ff8927b34b42a0a29e5732e22ff51c892178d04b30b11d97aa96191688f21ac42948ccb6aae6c7589bd0e4a54eb38474c114eed259eae692dc7929c1f15cc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e700244feba66c60a18c44552e23f0a

SHA1
a749dc133513c17508a5ebf51310927eaa700687

SHA256
e4dd0bfe772b3e8d2c95ff8fab5d9be12a8844e4ea565164c8a360d416af59f9

SHA512
4ba399f9e3aba1ce377780c51691fef792842fd70e77d1494389d2bc720502d95c2abee4e6cd4fb42bcbb0b0ab92d0e5f54f105a52fdc18167919df11c95d0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1046cad856b1947d40517e6609ce276e

SHA1
85b25582df7b0ccd9cc6982d6555b64001f863b4

SHA256
cd87a46b28b35720dbd9edb9fb54eac71b7fe0a6f70efb9bbc2fed3d55d1fd09

SHA512
3a1e8cabe12a87cad832c8abb2e16c2ceea5afaa208ec21f45a5c3368590edb440a855e6aec0c7a9de38ae77ed21d4443ac225f2f0f32a72b9daaccb85fdf97c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f56ee8b7dbed5c3a735639ac0515cb2

SHA1
2fb6cad602ca098525f6e023369b450cc7184391

SHA256
b653d0e7e88c379906cfb3083b339c944145d1402e4e92b16fab9a8d74046c5f

SHA512
18a3f5d201ce35872db224477ae4b2350f38e129b6ba4b50e701c8250efa5ceab95d9e3956b3139a5f144510c507743e5a724e04f9295d5d6b5d687e7859f7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
51aeb65ba40ade48d73a7bdceaa658ae

SHA1
088cd8cd20b42a1ef5f0581bb64ff677c3c0d889

SHA256
19643250c7204fea5b246ac8b17ca963fdadc0d9f143fb0be416ce0ddfdf6445

SHA512
e4624e51a7d7841722acad35eecdfd5a7493129cd9639bf0fe82aa2a38e915fa3c09dc3bf616300c18956b17f5939f4b1e7b5a9981740ea96740d3b825b9b41b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
7d52c05c8ac9b8c579b2a6ce1ece3b2d

SHA1
1c36da0f18ed3f2cbda763e8679cd48da9e0fde3

SHA256
2f74c6095877d7d92d7506097a7f1352a1ee527a56ce52e5fe48a2fb8d01f04d

SHA512
f22361acaa029ad1172c29c1494e468a3b8e37ba4d5c98a3797496d0488993ddb49afecebb5513a8eaa08f4da748329291e3e997029d2c72267ce9c0a50a4feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
f0ef563da4f83a65ef0caf2fe97f292b

SHA1
0e4e0256f95000609886e980b90bfbe9e79fc6a8

SHA256
0cd57e4f3011b92347d443ee4f4e841eec1b59046bb71653aa463e44c2baafe2

SHA512
fc7d85f2e7991e047f391084fe040f9768b38d112b2127208322983299fd8dd81bcab19866fafe473b0f6edca2967cc885b7375e3173b7d93b8ac14992f5f679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
9122eb8d63ff4caf9af86d418a6cd4ec

SHA1
dd9d660b083eeec3324bb232d466a4b230eb8219

SHA256
f6a4f4d4722326f7281ac21a574edd0545756f253c258182deaf342391433104

SHA512
cabe4e6aa9c8a1f40b13abfd2ce50190dcc2f0c56b2b158b2246ab97856190afea4139444b1b795172fa7e823832ed7ce910a2137f80ca449ffe5c94bb3d8c85

Download Submit
\??\pipe\crashpad_668_LJRGYBTQPXQPXUDS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit