socelars | f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Size

1.4MB
MD5

435a69af01a985b95e39fb2016300bb8
SHA1

fc4a01fa471de5fcb5199b4dbcba6763a9eedbee
SHA256

d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427
SHA512

ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528
SSDEEP

24576:M4UpDMuCSO5T9iKvkK1dA97hfNpZZ06nlvmp78nLBuzPG+7:AplyTv1gpJk98nLBuzu+7

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	61e74fd78769f_Tue234b6c24d9a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 iplogger.org
15 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
14	iplogger.org
15	iplogger.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exe61e74fd78769f_Tue234b6c24d9a0.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e74fd78769f_Tue234b6c24d9a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

948 taskkill.exe

pid	process
948	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754426785872833"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4300 chrome.exe
4300 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
944 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4300 chrome.exe
4300 chrome.exe
4300 chrome.exe
4300 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAssignPrimaryTokenPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLockMemoryPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncreaseQuotaPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeMachineAccountPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTcbPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSecurityPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTakeOwnershipPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLoadDriverPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemProfilePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemtimePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeProfSingleProcessPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncBasePriorityPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePagefilePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePermanentPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeBackupPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRestorePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeShutdownPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAuditPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemEnvironmentPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeChangeNotifyPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRemoteShutdownPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeUndockPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSyncAgentPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeEnableDelegationPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeManageVolumePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeImpersonatePrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreateGlobalPrivilege	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 31	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 32	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 33	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 34	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 35	1316	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe
Token: SeCreatePagefilePrivilege	4300	chrome.exe
Token: SeShutdownPrivilege	4300	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe
4300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.execmd.exechrome.exe

description	pid	process	target process
PID 1316 wrote to memory of 4392	1316	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 1316 wrote to memory of 4392	1316	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 1316 wrote to memory of 4392	1316	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 4392 wrote to memory of 948	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 948	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 948	4392	cmd.exe	taskkill.exe
PID 1316 wrote to memory of 4300	1316	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 1316 wrote to memory of 4300	1316	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 4300 wrote to memory of 548	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 548	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5116	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5032	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 5032	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe
PID 4300 wrote to memory of 2668	4300	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc542dcc40,0x7ffc542dcc4c,0x7ffc542dcc58
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    PID:5032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    PID:2668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:1196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:1
    3⤵
    PID:744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3676,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3704 /prefetch:8
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:1936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
    3⤵
    PID:1080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5484,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:2
    3⤵
    PID:4712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4968,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5612 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:944

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c10bcf53ef6152591cc28bb0eabd6e12

SHA1
3014c65608ca84fc4db1d0cc539872235e83ff77

SHA256
bccc7526761fa454b1774bb59bfd5600790ac367992691ad5cdd6093c2be8458

SHA512
e87ef5c039220d36817bf6e1994c318f37d26074ca1262931ea883cbd095597d23276968865490281ad42bde338330756135bdf0545829208d4e7050f3ebc3cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c15720ed900a59917f27cd3879069dc9

SHA1
ea2e3fc5351801dfa6748e96e46a29a3fb8e4940

SHA256
c334415808dac2012e618e6652ee70f6f4c3821a840c5689fdc003345efac154

SHA512
45b9b6ea9c1db82f857b9a4b4f734f7a13492a36ebbec14951ea0205a5aec845773cedeef01056a7c99dbf339637d5d3bca4a91103646ac34f39cda17d82f08e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eb39d30395c79b1d013f13358ada26db

SHA1
ae57b0832df671b08f3666ee835cd9c622b5874d

SHA256
24a3c24433c234e86aa305594788683b25c2607d697a6b38e2911a9a68b06bc2

SHA512
4f2e9824b9f45577aeab1396b4c4ceed588c4ff6e1314141342f6d410e4a4100f48adec32eba1fa13b480e5c8c80b739f228bc68925bb81ba64dd480127a005b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
636020fdbe6bd3c2a5c9d445a8d5340d

SHA1
7512f568bd52be6663a437cd2307af01e65f0325

SHA256
78e51ac06f78bf49dc56ba7417df2c86f3310796ac2d0cc8def0bc56a2ec83ed

SHA512
480ed0e11b3ebf0d4e2965f5eb205d9b550a3dfb9cbac5c202e26d0178c19919015a50ec217f36049de58c9e5be794f04e9b5a22b27061cf1225e52cefee8382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
de0d0d4e310094c7de09f7928ef54c0f

SHA1
0b4a36fff0dacede29afaff0cb6985989dc65b28

SHA256
abd7b46e89724dbeaaad721d03edd5027de6b0467b476b04f1fcc7a60cb40f1e

SHA512
c6786ed76af205c012a1a11c2badd5a63508bccee87b27a1d944d60ce67e0af2d734f86c2412329f2718e99782dd83a757b211092d1dd97e1a1f20f126b5756c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
472b72acd83ddf7a4038c24b911de687

SHA1
2bde3e5d3f0e1fb1ddce4812e5f0e2127e9c9e50

SHA256
105885b950d828202b515f144eb5f55459a5f243a5e5a3c3d663538117bc6461

SHA512
b560aa4e6d5a428c9ff2fbadbaa855f2730d3842876bc14151990e0be9bf64a5618cbaad6019d93da9c8e9471cc1805f2d7c60a781d11972159624000d65b7dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6764e78491ae43a78adefdfa2b54006

SHA1
4832e77e214d245fa7c1611c422d207780671d7d

SHA256
eb24d3e734e7308c5dff36292561f55b2797980e4904b649d2832cafdde573c8

SHA512
5261de17efa438ebbfc6915b13b7f277f050087393d7285efb8472fe4a052092ab77c4c3b4fd6f0ecce9533c43cbc81bf9cdcf45aad36d13f618007a1d8c547b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5125ec8bbf5c9c9d0228761d0b8e8545

SHA1
788b5989b9c1fc23d6122d54aa93cab22cbaefe0

SHA256
9eb413c4f96380013b7d475f7a69fc94ecc24c7b2b709c1de59314640d744069

SHA512
79ed022a714d48d9e2f7b3abd8650ea5858c3708ecc66bfd8e42d4be58e92c4c828561e1f176b624c5d740c0b20985740604b3d83e2da82d48982aca2c89de0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
b427c4334ef88464456ed283efaf24ff

SHA1
553687717cbec5ae9dbaa5092acdd079662e79b0

SHA256
e5445b3bb040866eb735ca8c0ca8a8490dd1da0aafad6883862e678e15916b33

SHA512
e4fcb76343c8dfc2f36e7846dd7cd10b5d928a7bdb987d0ef9ae37283b44798a9a68b2f3d48ebae4fff0ab4d82398e67822adba662f35dc6719925760d878b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
1f92d8b5e04ed5383a64341ce79c2816

SHA1
51409cc01cc7ec1a86770226dc1d6a8a9fe52e93

SHA256
34b6dc62304ae77df147850bec73d6b2f497b66f06998203040aac7859b00718

SHA512
5ff264e9cafa34d228174c53db0609a2a7ee5092d19f3461c5390e472acfe6014ad316f90cc2fe3a37e347934edf3d310cac558a17a1e9db842082cac8bac5b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
245ef80859d188779ee89e73c15e5c68

SHA1
07a8f4ae9f5ff333c2ce226f4b5ec68eec73bc87

SHA256
9ccc2dfe4ee7e5a8adbe6a7134948d75c6f7b26d258bc4aeee90dbe98fbdd418

SHA512
df577c7f099507d5267401c7a4d6c85182e66bb98b1f7894cedf51a0dff2a6d96a7d9c6208c476a5741672e3fb3e12abe463504ea3c8272c081c2c2b4ef9f57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
1109f281db833e0c6f34914a0d7c5236

SHA1
4245566f4374246d692b6195973ebeb4a88d4895

SHA256
36f7853a658299ae23981e32cfa854e3f81caf4c7d5009fb9d5e8a7fef0d1d11

SHA512
95b592fc449fd330616d8826e61789c75502f1247cb76196631de9fa34c4a0973ec23cbe16f00b9954f4354638c9025f4ed79fe7eac2a72546037c69f4c92804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9d928e27417941ba195eff2b7e9f5e84

SHA1
cd3ba062b5468f7d32f73e67c7b57a42f5455508

SHA256
bd7f6fc1246e876cf2819b5e42ea7b8717d624ebdd5afe643378baa7d8a49064

SHA512
200bec74ee3429c2184b74eb8123105f75ff5ca439c32cbb10f3ed294c880b46d80242835ced2aa2373a0e2d88be284ab5130a6169aa37b792ce5bec97cb4ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_2081325151\14faef06-33ee-497f-9c5a-dca9f8916a03.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_2081325151\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
\??\pipe\crashpad_4300_HRVOLAFCOEQIQLMG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit