socelars | d6848b7bb725e3597cff6e9f56bebbf2f4822a7b9ed9a74d603f1a1c5b0bf617

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Size

1.5MB
MD5

8b28b4cfd5fc4e1ef82f7a96f10bf89c
SHA1

b3508ba8a9e143063f98fc2d0cdb4782fa838e22
SHA256

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f
SHA512

603d2aea823ae99f9e437cad499d91f539c833123dc525e63262662455b1a826e6840d59f64cb006a8c8e7a228848692eda4c056aeb9b6c33ac4a0bda29ee23a
SSDEEP

24576:VxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4RZ13:/py+VDi8rgHfX4RZJ

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
22	iplogger.org
23	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1960	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698653106661978"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2416	chrome.exe
2416	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAssignPrimaryTokenPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLockMemoryPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncreaseQuotaPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeMachineAccountPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTcbPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSecurityPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeTakeOwnershipPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeLoadDriverPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemProfilePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemtimePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeProfSingleProcessPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeIncBasePriorityPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePagefilePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreatePermanentPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeBackupPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRestorePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeShutdownPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeAuditPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSystemEnvironmentPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeChangeNotifyPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeRemoteShutdownPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeUndockPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeSyncAgentPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeEnableDelegationPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeManageVolumePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeImpersonatePrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeCreateGlobalPrivilege	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 31	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 32	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 33	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 34	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: 35	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.execmd.exechrome.exe

description	pid	Process	procid_target
PID 4104 wrote to memory of 1308	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 4104 wrote to memory of 1308	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 4104 wrote to memory of 1308	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	89
PID 1308 wrote to memory of 1960	1308	cmd.exe	91
PID 1308 wrote to memory of 1960	1308	cmd.exe	91
PID 1308 wrote to memory of 1960	1308	cmd.exe	91
PID 4104 wrote to memory of 2416	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 4104 wrote to memory of 2416	4104	6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe	95
PID 2416 wrote to memory of 2924	2416	chrome.exe	96
PID 2416 wrote to memory of 2924	2416	chrome.exe	96
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 3044	2416	chrome.exe	97
PID 2416 wrote to memory of 452	2416	chrome.exe	98
PID 2416 wrote to memory of 452	2416	chrome.exe	98
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99
PID 2416 wrote to memory of 1836	2416	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe
"C:\Users\Admin\AppData\Local\Temp\6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98a1ccc40,0x7ff98a1ccc4c,0x7ff98a1ccc58
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:2
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    PID:1836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:1
    3⤵
    PID:4840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4040,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
    3⤵
    PID:1440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5072,i,16799323866362548451,4547594850484552983,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0abdc1f9e385534a85c62639420a9698

SHA1
165eee5d58b8aedfcca877043418d9f5d5f5cf72

SHA256
cf758b7c66ad28492865e447aefdbb5d95ebed689e0322014962bcef56d93933

SHA512
e3c59bb929487346f10ee396c6a24de73835d4162bf540b1d8c92db2c78d32c8156f63f620271461c2a866a2a807aa3ff9d3a53cb1829aaa9058126b971562fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
00552428917ad08c7d44312f520e697f

SHA1
35b342bcdcad6ee120ebbabf68c7c8ced5e31d05

SHA256
2698f2ca79c464f716bf091ab1bc0b3938ffde725ea1da354d889718a9dadd99

SHA512
3b46d0b4c6b8be997b8795a4bab95ec907d60c73ed43e55d8aa2b718d79e748edd5df7f99ede38b0bb729724b87829d88f322f728032655f59287d6700b4b271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c3b07e136dd9e00f8b4a0f9b28ea4e5f

SHA1
f847ed3ac11a26470da7265125ead188579dd13c

SHA256
3bde6c8f3fefcf4f47190badd8651afaf3f9f7a1258f85fd7321f16e1a757c10

SHA512
30c18cf792c266b5128bb21819976a42adf323030fd5c60cfdc1f1f10fe5682ff3bfa09f95031ae8334f9c4b76110f2d4c078440168c3107bdc2a7f49f328c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0727d59ef9e9fb18cf4b127be2e932fa

SHA1
70167473569f68ba17cc339bf7f3626aa7fa0772

SHA256
bab22f942c77c4f9cea383bc4b3cb649adb7de511d61fdc5ec96f717445daa50

SHA512
2950aa6bd3bac35a6a0338fa02f4cfc9d681575eca5edf1ac6ea63ab1c854f3f9f6cadbb6d4326c73e039ca4333c881e6deaa9622aad12127b6c39bd71ced4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25657cae373a9d1ebb978d7a07c79abc

SHA1
8447951079a1f1aac60f9fddd24b1fd12a37ea4d

SHA256
241976d6cdfffc4f8b63c0ee197289d4090b0fa400ac7ce5c9a2c1ea9826bf0c

SHA512
546766fecfc30d93ab7218af3e42a6611619b241961c4176cd18ebc27a7bc97a26d836299ed7b221b4079819511c423e32093f928ed71a7dde26394680e023ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d2f3e07e6fd71ee9c38324bd4c3596f

SHA1
245ff087d1e35b8ef26d01ffe7d799447303c8b3

SHA256
9887f9d5984d37ffe71d887df59f9946c5cc008d5c751f4fa59c9570c1e6e9a8

SHA512
5adbe1f3e16044e9d44681726900c2b69e4544d88bade5726b762c37acca0b0c96d8ce644743fa1daf1423169e4562eda750625a8958d923a1aeab2bbbc61503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5b67c66e985ceffb6a8344f9043db7f

SHA1
08a5ab527da8cadef11af9fde2484401420f00a4

SHA256
7fe656a68bc1503ef408030f9934fe327ce3901efeeb6ce5eac4a67a3f9d225c

SHA512
742ef116d5d184519e44a8b87103f09c40e1dba595412848376a4d2019c8f83f331f994dcd43384ba55dcd28bbd91e29ceb0d2da25da251fc3c381f7f11525ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
293175fd00c69cf5d00db1dd03acef42

SHA1
6e659b0b4ef74c01674046b09177e28db39dd826

SHA256
ad6b005231cf7a6f439bccae557b96b5b2eee72feadcb3e49503eaabf0aea025

SHA512
0be9a9f57e3cd072db534a15e2a9bc95504adcd4ab029959ea892214010d9dfd7073bd75c016f4752fb3270404898d32ff923d4057c3c1b5b2baca75418d0996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1da0ddcfe0b6875292228f367044a262

SHA1
c26db1907aa09e4417bd75e198351bac5184a776

SHA256
8e1f2b3dac0049f4cfdf783e776893e66269524853ba3800ecdf6422efed85a7

SHA512
1a59471f7b8baa3785ff0dffef35486cb6161ad734549a2244077e2addfd2ef84ce2605d80d287c26d91104120b0ae467d260e9f2f300f656d6a25a5ae89bc82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
c5d3d051f4721b5264983f16e717e493

SHA1
75ae02daa89f8448219a062eaa7a63219df03cd7

SHA256
7991bfcbfcbd55e5ca65b78d7e67b53b6643a9821fd344a72006b1230a83c830

SHA512
2ed1f19f0d37c25f113a2c4abc31033444b0ddb674ff80148226abbe6ac28d20d64fca156f4f11ca9dfd9b2fbe9cdfde44e8adacbfdaf4259506f021ffd6583b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
521429a5939979192e1955b7c97c52f0

SHA1
a9274e40d877acf5b5d561f295a9d00a081a48c8

SHA256
32b07897a7a1bf9baaab521f406766a6d32f61086bd6e724a41e0ae3489e4d91

SHA512
32d89c700b48741ed1b6e6b24773fa6ca167022226af8ee3d78ef36d4f45cd985f672903e013e9cb66d102416230e4000ace9b3435284794609e752ccf6ebd51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
3b7d1223bb0caa2b58d39b6f8d483a0d

SHA1
61e80e564c53b32e786fe939fbf69e623781b711

SHA256
39830ab04783d85ae6810357c1cb73219c00fc159c092666b38110ebfff4bfb1

SHA512
12a3c4d3f1f2f5b4083423ca4ea964525ca22c8c24a5b0b873281ae6da16c6c25818c0e457fc6b7c3fe40dae7f1d5fe0fe6a97e9234578ae213c18971624179f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
46d91963f9ba2eb1e41a45dbc25d3276

SHA1
b2b8149e4799e25ca14265ffca309e828f1ac7ae

SHA256
a49c1b9598c00b1ba56327503af1c73739c25aab597c6c2ac866bd83f9bf3546

SHA512
c6d2c35361c8b4c39abe939a8c3bb5b410780904d9da81e84b1d22e6fe20c7063094e168f427e0143c1fbbb2fac3b909ccc5a2333c627a815ce87a92e1b05be8

Download Submit
\??\pipe\crashpad_2416_TPNMEONIOESQURQU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit