socelars | 9daf6dd041934892100ae2edf69e27db7b2baa0ba22ce101e7c6fdfe179de5c3

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Size

1.4MB
MD5

30cad29a59ac340db201eeeff45ebdd5
SHA1

618e11093f8445ae1ac096d9fe68f0e7afb1431d
SHA256

9daf6dd041934892100ae2edf69e27db7b2baa0ba22ce101e7c6fdfe179de5c3
SHA512

33ea1643df24bffbde854aad4f3b261e9565420e7c0f9eed49460740e927ebf859d16ba077e26fea531599191d1396a3b9d834b1272eccc5b86b1e62406dd54c
SSDEEP

24576:NxpXPaR2J33o3S7P5zuHHOF26ufehMHsGKzOYffEMSXkduZ1H1:3py+VDr8rCHSXuuZV1

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	iplogger.org
22	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3616	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731291734320467"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeAssignPrimaryTokenPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeLockMemoryPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeIncreaseQuotaPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeMachineAccountPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeTcbPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeSecurityPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeTakeOwnershipPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeLoadDriverPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeSystemProfilePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeSystemtimePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeProfSingleProcessPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeIncBasePriorityPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeCreatePagefilePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeCreatePermanentPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeBackupPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeRestorePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeShutdownPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeDebugPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeAuditPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeSystemEnvironmentPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeChangeNotifyPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeRemoteShutdownPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeUndockPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeSyncAgentPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeEnableDelegationPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeManageVolumePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeImpersonatePrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeCreateGlobalPrivilege	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: 31	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: 32	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: 33	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: 34	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: 35	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1628	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe	86
PID 4336 wrote to memory of 1628	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe	86
PID 4336 wrote to memory of 1628	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe	86
PID 1628 wrote to memory of 3616	1628	cmd.exe	88
PID 1628 wrote to memory of 3616	1628	cmd.exe	88
PID 1628 wrote to memory of 3616	1628	cmd.exe	88
PID 4336 wrote to memory of 4808	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe	90
PID 4336 wrote to memory of 4808	4336	2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe	90
PID 4808 wrote to memory of 4300	4808	chrome.exe	91
PID 4808 wrote to memory of 4300	4808	chrome.exe	91
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 2300	4808	chrome.exe	92
PID 4808 wrote to memory of 1836	4808	chrome.exe	93
PID 4808 wrote to memory of 1836	4808	chrome.exe	93
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94
PID 4808 wrote to memory of 2260	4808	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-11_30cad29a59ac340db201eeeff45ebdd5_avoslocker.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd56cdcc40,0x7ffd56cdcc4c,0x7ffd56cdcc58
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:2300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:1836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1748,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2556 /prefetch:8
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    PID:3884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:2800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3756,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:1896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=208 /prefetch:8
    3⤵
    - Modifies registry class
    PID:800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5132,i,13738349661091624600,6836790657725042050,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1268

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2afeac6cbba3c94b91bb54d89537593d

SHA1
7975f71ca994da4858c7e072bc6c1e0ffcdc80a5

SHA256
ac34e916c484afb243942f0a332fe3b3d60f696eb70261d1876dbf23f44adf38

SHA512
7bccf543900f52e72901e459952c27118101fb38790dabaf9d77b82a40a8167fa3246dea6bee3fd729f1582c3461bbe1b942007acf2823b1ccc12b506fb3652c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2f3f3dd52c0705b0094b11a6b3c8f6c8

SHA1
7fe8e1a44142e4086561c476e6b4dce9133ce07c

SHA256
7d8de8dd3fcd8ce6abb486b73f46b2c14168366743971f185b93b259ebade11e

SHA512
1475954c28f552d0287584d3f000430c71298f7478f9747b07fe7ed8041140ec31991657dfeef7bd853107e3f23ea880910caf50faa64887960f675ecffcc407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ca4673677ab31caab078578181f8e3bc

SHA1
025bfeb81960553b5ffff304a10d18f34a4c06f7

SHA256
707ba278db419153ca96d279bad51b028ba607b60e3e9203bb91e2e8689b87f7

SHA512
fee3bdcc4d862d255039fd8e3765e34d766c557956557262d193e1015487bc41fed91b9704a2cb47fc705d5403c40ea460647d29589d0bcf4fd54850d0459a9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9b4f2395e23ac4d0f7947820d499fec0

SHA1
c59f2757643e23e922895d7980103ea24494f5b4

SHA256
696d518c45d545b987b62ca409e6dc710b497f8646d9a3edc7a0e807a636ee06

SHA512
f34d793d04ab0346e6911c3e6a2b22009928a5bc5edb1bd8c5facd1a6ab3e4c53c2c4df08477dc894bb9d0725b1717a588a465c5199d47f3e2f9ef01eaa4840f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
740f09dfca53da6ef0187de4ca67f5fb

SHA1
9e480778d091a64aa4c15e4f5a0fa62468e4a0b8

SHA256
74aa0558a8fcab66c24bc8b478f0a760f69d39e4afde25ff0394e8a1031acadc

SHA512
d114f459f0618506fc2c27fbbc471a2d0203ffeebbfaa8a2f789fe998e4ad4a4b7f33a6755abf82ff0bd6f1cf32f9af9214047be97d6a061fe0973892eff57ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
364d175cfdc3bbf6e2ad976f311c13fa

SHA1
0dbfe4c4960e4ff234c259f43dc3cc3913481fa9

SHA256
5e1099c4d5d50eae1e8aa3118172e5820fae534d5aa056c6c1dc040d0c8918ec

SHA512
775fc60bbde770a5be15ae72a620162ef0e65663bfdcd3dde180cc15fd850d00568f0898e5a0ce6c78da55d0659bd4b769aa1d5bc120e24ebc01fcec40d76d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
4e52a7e6ab05faaaf0e0c605191c63e2

SHA1
c464190eb817eac2de38fa811d0d0772fe8f5d19

SHA256
c062762a6f174bfe3bf436cee08376113d2fef597ba32e583e1c54c2c5e5eac0

SHA512
86107d0c56b6130cb56e6814e6b18f7790ba0398b89ec13203515765a84f4acaa360205fa253439084affcfa7ea38dbfd073249c7c5dd9d12e921e7a582ec0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
88fd0abfb7a16ba97160953341223d69

SHA1
96fd7e914ba32f055b4a1ae84d04f1a6b2fe20ad

SHA256
4ef688a5f654d2403fb854de661c1f1b8f8cb16ba16a7204132d4306fee62efb

SHA512
f230ab6abaa1bc6f265b4e6db8e3c0cb25cadbedaead10c849a90c5dc85c6c030dce2dea877aa8559495e274ee5af78398d6b4d48fb993b389021fbd14451ace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
66dfd870a4c6566921c281249e54ada1

SHA1
0f99d31734c866545a228bbd3262e5576c72aaf1

SHA256
387d6060715b1dd81a73debd646f75782b72e5779c45844698aee2a02d3b44c8

SHA512
db6ff82d94af001b10db32a6e3dfd413bbc5e8ccf56b125bd59a51527b5ac70ce473332bdfd4e000eb1e93ce2b0ffcae8b328a788433562f45c2cec00f0b4613

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
089838d62e813dceecdd6d8649581e7b

SHA1
aa564b01eedf36c28dbd86fceb6d811d8f0c48d3

SHA256
ddc460367e479936648c1c6bd65409f169796f31a928c882b4ba43afcabb03f1

SHA512
19d5c69e4e1695121e0869335674622d855a1a1d290f93ab2eb6cf99c1509dc4979e3fdeb059430a9a5e60a16e7023e8af14933fa636f74ecae484d23812d104

Download Submit