socelars | 74e0fb6835d90478acdb772f26fe1538f244ecffb49394234ffc8e44dba80cec

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Size

1.4MB
MD5

7330398e4bc7afd3740c804362ec8a99
SHA1

02fb96618ba3c6ce8d82b511883fa3d9b99ca935
SHA256

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32
SHA512

812fbf165de8c209b6eeb7e3aff11c1740f30d518329bcc78a472cebaee1e59c2b6c0ef3388aba53bb1901d3318ed9dc726c447a1009f74f98352ff4fedaf322
SSDEEP

24576:3Rp2fYlh5hJYrsWSlTeTmvL2aIZX8W6jO2kkYOnbXgwpVg/:hp1v1jC5jNTOnjjp2/

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 iplogger.org
19 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
18	iplogger.org
19	iplogger.org

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1700 taskkill.exe

pid	process
1700	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698597824968031"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2612 chrome.exe
2612 chrome.exe
748 chrome.exe
748 chrome.exe
748 chrome.exe
748 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2612 chrome.exe
2612 chrome.exe
2612 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAssignPrimaryTokenPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLockMemoryPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncreaseQuotaPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeMachineAccountPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTcbPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSecurityPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeTakeOwnershipPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeLoadDriverPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemProfilePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemtimePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeProfSingleProcessPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeIncBasePriorityPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePagefilePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreatePermanentPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeBackupPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRestorePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeShutdownPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeAuditPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSystemEnvironmentPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeChangeNotifyPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeRemoteShutdownPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeUndockPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeSyncAgentPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeEnableDelegationPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeManageVolumePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeImpersonatePrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeCreateGlobalPrivilege	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 31	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 32	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 33	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 34	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: 35	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe
Token: SeCreatePagefilePrivilege	2612	chrome.exe
Token: SeShutdownPrivilege	2612	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe
2612	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.execmd.exechrome.exe

description	pid	process	target process
PID 4464 wrote to memory of 4876	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4464 wrote to memory of 4876	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4464 wrote to memory of 4876	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	cmd.exe
PID 4876 wrote to memory of 1700	4876	cmd.exe	taskkill.exe
PID 4876 wrote to memory of 1700	4876	cmd.exe	taskkill.exe
PID 4876 wrote to memory of 1700	4876	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 2612	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	chrome.exe
PID 4464 wrote to memory of 2612	4464	17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe	chrome.exe
PID 2612 wrote to memory of 3656	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 3656	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 4552	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 3264	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 3264	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe
PID 2612 wrote to memory of 1524	2612	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe
"C:\Users\Admin\AppData\Local\Temp\17f36f9ac30e7ec160932fb3ef8efcc7ba779a63fe7e2510857a2e6d2909cb32.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9749dcc40,0x7ff9749dcc4c,0x7ff9749dcc58
    3⤵
    PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    PID:4552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    PID:3264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:8
    3⤵
    PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:3452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3764,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3636 /prefetch:1
    3⤵
    PID:3436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4692 /prefetch:8
    3⤵
    PID:3532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4424,i,9336881881992466037,15971856941232259949,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ab8d248a6fad40eb85d9d9675a22e879

SHA1
26078ad02611c6791b331524734a8aefcccb4cea

SHA256
c292cc4741168b4705522d6ac9db1d119dccb5b7aa963b74da23168a803642a3

SHA512
f1aa437d7865347a636391c18dc659e005f3aada3e03cad85ee7674345f631d9bffe0c8617e0ccc40ebcf02f0afb451f2c73b7f383003102aaa8eff1507874c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
60f7929479a3d56392220499d7e1b2f3

SHA1
9599206adfe9ed8d4bd9d09f2c3a7a182a7faf08

SHA256
e79baf522437488b77ad10decc405f369b21a872b3bed07742a21c13b0da7bb0

SHA512
9c1b75beee4dffece34f3f0d92f748b8e8dcad54905b5601c43cb8b82125515209c607dd9c407745da9ddc7b5add60e5cdd4121acd655f6bdd7d98bbd955afa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
80af42102326a199ac4be0971177829c

SHA1
6b4903b32a15b77ddd34c81c765ba1e52b85edfb

SHA256
a71c165919b8d5e9873890cd50522308439b1b254874d2b6fc19e21a54f7ec5a

SHA512
054cf3779fed49e60a79428c7cd5ebba0e12f15b154214b18d3fa0a3a70eb530c46f5b28caa2f57da8ac73876369f94527458e4dd3285f767addce0266ced790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b86e10af0ccfaefabcc447440a68cf7

SHA1
31cc9c256e3330bba0e76224ca84590086e8bfc9

SHA256
dc3c1a30d86e94060ed4e1ef0ed9e0e76e456ec43be3e8bd04a7310d51a65cf8

SHA512
1cd922f8ade24d45b781164c2576a4797570f8b170245e83b91ac74f1a06b779e280ce9486af9d50c9c52f1b087e847e51db8ff315db2395238baa1049025ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8f50ba1b0283665b4cc2f74bc7b95c3

SHA1
fcc3682afea2cd8ddea3fbd8c568f6d2cef49f4b

SHA256
b39666919bfe584f0fa915c909f1951fbf401df797ae9cf60ac8a731b912bc8e

SHA512
dcfd5ce8002598a1d3dafbe42640d284bb67032742eaac5eac734d69cf10e53828bd973432938ab37272fa214b4fe2d2b60e5fc9a7dac7432f2aafb070a8608b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59e54cb5de8f7ff5f8cd78d74a0e143f

SHA1
15be0368a92d294003a0ec4d4889f522bcf080d9

SHA256
816f1002be0a4675a38c2f0c534fad170b6ce83b509979737ff24809debcd188

SHA512
cb271b209dddba9d6e094f4c2382f48b934ccfc9bc69b15a3dc57ad842c9577e8a24469bf7f60a8886de98e0080a2a1b78ea5a7c3f286bac12a7ee52db879689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
266ba281310786ef78d07a20d0ade9fa

SHA1
9ebb7ad59e9fa57dc8bd9af5f07e295399c55e18

SHA256
3a1b38d0cfd962ffaaf29965a26e70f64928af859b56dd3730890348904415bf

SHA512
cb854e4e06ccc6a8eb5f001fa039ad95725e89cd3f4cf2c3876ffce887d2d5bdc281af88f2b95cd20c811f026b7f77cc3d0cf0b7900f49999d342cf06ed97ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
771c241b20c72e6e7ba1c7a60cd374b1

SHA1
c3677adbd7ae1d8db8b5744b86bd19b439e452c9

SHA256
7589f8e4665789f5a7b6ecdd8085f46d84d879fbb33eb651d31c9751d653daaa

SHA512
15f3641474fd6af48d482823a2812e3462e18e537793216585f5284d4c4d3be56f28badc7bb2383bf8e60a6924918632aa20f896254b35f24185b4e77bde8a1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
cef8eb9d5f34075a8054d1569c1bb71a

SHA1
3f70c23bcfb1d1f18aea672f90c876a3360a2696

SHA256
332ebfce8678648baedcb5730b0f5e2b175c7306c28e4d386f2f1a2e2dd7be1d

SHA512
4fdf462871a2454c06085736917562d8daaa2267f2d93bc5e6563bdf5589e95308d37b3f6c3413658911f0417b042b88c96c2e06df59415261a855480ad142e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
a2fbe5299df0b19780503dc2da91fda4

SHA1
4d1cd3e51105c1acf5019f9e07a81f5b1aff5233

SHA256
2578bd996597072f7d8e34623fe24924ae4e162209e9141ebd7fde882d41f01c

SHA512
35591ef0975889ba282117c1c8afa04715ae2c9b74f656f5b45fc9509a8c584915323cd99f2ec37832fd16708b2069ce3744ff3cacecf363bcb971f548a4ace7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
126d1a5a3db24d3d0c2e6b7279ea7510

SHA1
10ac6fc3fb28414fec01f28a6097acc1b0998476

SHA256
c02ccd0d5790da70e41c26e218396aa7e1b8bbed0d8680c377193b47e6fcd2c4

SHA512
34cbb02ec3d287e315536f755fa4cf32ef2c8860ff3239d139f9bd3b02c716bebb5383eeb174354d782422b93f973e4438c9adbf66cf186047a9bfd402498b68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
c585929c9c716924ae0fe38526f5c4af

SHA1
7a82507819cb5a0c840a2ce233379172671bc2cb

SHA256
110fce2066d1a57f2fa01edd776ce27ce4496d7146413d98b26ea0102ca5c5ce

SHA512
533c2591facfa73e6e74305c5806ae86366fe5663d15bd9e51aec5cfc6480573efd76d0c39460a366e361fc531275ee4fce6cb7399766334ea079b329ec7e3e1

Download Submit
\??\pipe\crashpad_2612_XSJUVXHZCECODAZM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit