socelars | f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Size

1.4MB
MD5

435a69af01a985b95e39fb2016300bb8
SHA1

fc4a01fa471de5fcb5199b4dbcba6763a9eedbee
SHA256

d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427
SHA512

ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528
SSDEEP

24576:M4UpDMuCSO5T9iKvkK1dA97hfNpZZ06nlvmp78nLBuzPG+7:AplyTv1gpJk98nLBuzu+7

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	61e74fd78769f_Tue234b6c24d9a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 iplogger.org
18 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
17	iplogger.org
18	iplogger.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

61e74fd78769f_Tue234b6c24d9a0.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e74fd78769f_Tue234b6c24d9a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

312 taskkill.exe

pid	process
312	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756200144701004"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4872 chrome.exe
4872 chrome.exe
3528 chrome.exe
3528 chrome.exe
3528 chrome.exe
3528 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4872 chrome.exe
4872 chrome.exe
4872 chrome.exe
4872 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAssignPrimaryTokenPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLockMemoryPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncreaseQuotaPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeMachineAccountPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTcbPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSecurityPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTakeOwnershipPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLoadDriverPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemProfilePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemtimePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeProfSingleProcessPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncBasePriorityPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePagefilePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePermanentPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeBackupPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRestorePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeShutdownPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAuditPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemEnvironmentPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeChangeNotifyPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRemoteShutdownPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeUndockPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSyncAgentPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeEnableDelegationPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeManageVolumePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeImpersonatePrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreateGlobalPrivilege	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 31	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 32	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 33	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 34	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 35	3312	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe
Token: SeShutdownPrivilege	4872	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.execmd.exechrome.exe

description	pid	process	target process
PID 3312 wrote to memory of 1392	3312	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 3312 wrote to memory of 1392	3312	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 3312 wrote to memory of 1392	3312	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 1392 wrote to memory of 312	1392	cmd.exe	taskkill.exe
PID 1392 wrote to memory of 312	1392	cmd.exe	taskkill.exe
PID 1392 wrote to memory of 312	1392	cmd.exe	taskkill.exe
PID 3312 wrote to memory of 4872	3312	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 3312 wrote to memory of 4872	3312	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 4872 wrote to memory of 1716	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 1716	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 2664	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 1080	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 1080	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe
PID 4872 wrote to memory of 944	4872	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdced6cc40,0x7ffdced6cc4c,0x7ffdced6cc58
    3⤵
    PID:1716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:2
    3⤵
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
    3⤵
    PID:1080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4060,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
    3⤵
    PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
    3⤵
    PID:1832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
    3⤵
    PID:4948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
    3⤵
    PID:752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:3004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
    3⤵
    PID:744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:4196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8
    3⤵
    PID:1088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5416,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5476 /prefetch:2
    3⤵
    PID:3384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3528

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
133aaf6ed7c627afe809de98a1ba0a90

SHA1
e533f86f8842b76fb48cb4b3924c0eeb21f08bb9

SHA256
3f2a141348ba649cfeb911f8d93ed194403038e5261adbb7626cc5bb0bf2ff2a

SHA512
ed2ce4ebde18cd5552f72db626efbe8c71a979c21ece4047ccfc021202529dc03804d6d784635f5c8c0cfd4a914878d93302c0fafaaccebba9f85aaebacb3929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4b0cc5a559b661e80a4fa0e7dacae4d6

SHA1
1ea9300ffc39902e3ca67f45c82d08deb105d485

SHA256
045c34b7f1ab0afe2141bb645b32448d57e2299fe406fed1cec1b07227e6958b

SHA512
2be7733112b84355da6ce83b7bf039df38de96444fe5afd4aca5f8c5cbfc64156d6c1b44bca31c86fa2dc14e60c7c5e19411e2cdc1313edfd5989e0ca5ceead5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3d087765debb6ec18bf9514a735f40d2

SHA1
e94a9c7e50bfabbd25efc3ca74baedcd1f222cc3

SHA256
b5f444d0971eadd01859ae507d2fc5bee131ef275fcb636e486c3005a288d15a

SHA512
90781115765bf19f1456ddf1ac80724fe495caf840e1da392d0a4290c35a7044bb8b7517b43f9431d5a7c44efa0375562e5f94516428c6943c42c8ec72a353cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d93b83ce089b77068a3892b4c0fac59

SHA1
b4850677553e49efdbdbaeb69fad1804a3f42e61

SHA256
73120dfde78e687a500270981d14903330c153b0d5d4dd08232c259a351d8d76

SHA512
632271da4db7272b778d096654da38a5315ecf9d958aa24e28abc08b59e0b0c09d0db22ffd2e94612124e02614cfec90d0b4f80c26d5f6b1a995a1501fbdfe74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23c129994d4ccba3904bf9ac6d0df5b0

SHA1
0f825b61b3b7a09da547acb840a322c153127541

SHA256
11ff2bbc92347f435128a9fe3ada9d03786a1f5b3348768705f408e0f35007c0

SHA512
a5f907a163ba4a29c73843a12e521f786fed0024b0ba4d562829e37844e81b8b47988202e03fc66a44e39e371b2c19f62ad0f839447bf2cc461e96e96cbadd58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddf9be3ea61226cf9907697986f18bf1

SHA1
7d35fbb7df0572d73398f4582e8c3886ffbebc7f

SHA256
abd556127d97bc3ee1495df6767efe03b5541f43b47a55a50fed7d101e7a538e

SHA512
4070c5364814e095e09f28bf4fc0f4a721eb76f9909e8f19628a4683d416656211968e2714b7a7e934eb22ff08c66b764b69d20356898ccc0badb0d8d771b7e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
935b922481ed677af0aa199a465dd34a

SHA1
1fc3cd55a65044b8b12d024081e9155d050bcf75

SHA256
54292a1ff5a42264894ed3c2e29c13097bff0c3aea238f1a9633b0da01f6ae9f

SHA512
a237699cffc57de39019f556d17814fa8564466995520c24842427a1e5ec4e18d3024284cba8cc72c97ea6e1db21cf5ec30bf90f85ce01b4d43447f7f0b71b95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
112764efe3a2057de0de02d051aad6ee

SHA1
9a091fb98d1352f75f0507aad22bf8f156fdf9d9

SHA256
5725ee7359f37982047a67b67f8660399530320f37a2aef97a50c0317fa4ac90

SHA512
7d8723cf405dfe57195a330886ba45dbb7c6620c3bbbf9b2751a9757c5810dd37fce9d9edb42f9409dc855a4dfe2659ef082fcd8875b776e7d13bf1dd59272f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70a197ca5db4110bbc9508139dc9bef7

SHA1
63ddd70ac847fc0ce2f911f7db279669062f8578

SHA256
78759e98512703627d1d10c9e16fb7ccd0e2f07880717d1e185e98fef7a22c26

SHA512
c7447b82178afa5256ad2e52f2105b3c9d08868d3b590a36258716db6bd76fc224510b5bac67dd6642173d1cfe0ce58c046d613d29eb20e1ae16ae07acf1a943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a85686886e63eb02c2873fa8479a2d67

SHA1
7c0164ec09f7783ad4ced032ea3bddc868827e8c

SHA256
cbd2556e303717c320d374cf803945c89c73cdbd554c579040a33fbcbd166a75

SHA512
36b717eb67510169b61d169dc107cecd35b0a34cd6b4cf00cddd99f7a0206daf10e5c402a8ecde006cc77a6d9c34385c4996fd3d1ab3f9887ed50c7466c3cafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a82c925f85918f00ac6e3e4bf0a8b08d

SHA1
a42399d0d8e7ff4ec7033316eec905aa4cb3b8cc

SHA256
be6340b9af7873816cba59ad598f227c96d914184c766d42f58dffc492bff824

SHA512
9f5d14e77b383b0b86388b3cf361ab6f68186162ddbab6d170ae0755a996e5cb7f6d22ef898bcbf5ee196b3fb74f64280d7a6f585324c25f425e0a66bec42b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
c4f4f10527515e350475234d38267351

SHA1
841f108a99e81d0055a2b87e01fffc5f21bf1b2e

SHA256
3c4e778a71453a50ccb43e8410953042685d2eedcf94c22f651b75e9d540819c

SHA512
d2532b4cc7f957837576a1cf47d4e6be1d1326ad8816e30bf2a4c1f57629eef22f8d80db4a08278e167bb6d89b8a2bdf1c765dbd55506e1a9f95a6ab6e5c0288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
b0457dc2ea8640e29626e522cc7ac86a

SHA1
444d934546e8f0e2e60ce1daf186e214d2c61930

SHA256
5f8ff8257f4f77fec62d737567d16b5175894cb6184b0dfd7fefbaf157959e8d

SHA512
2ea678c819146f22556fc9e7075fe72b68dd9babe6547d0e310994678b2b2718c50b3f6f1b5f34195d07beebb9d5722f7868ed7ea60a3b860e17f79669ca805c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6c35f08421bd503855a67b5f27f02644

SHA1
b21fda90599047f8748195bfbabc4b542e92a6fc

SHA256
f10032ef46b99d825019c710aa1c88e373057ca1fcd7cb8dbe5ae4e7546f5c51

SHA512
7386aec6c1b26cbf6602afb9b8ff861ec38a152c1c9e327358cff7867bac403999f87678eaec1feb83d3a871e266ca870e527e9f4a8005e697a7d9eeca1604fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
16f9e6e078d8dcf5bcf1abc1b7dfc38a

SHA1
7b6856f535e99bc0545410bff56cb61e76624774

SHA256
686716bc7699f3c143ea36807efed21bcd1a234708b4f107d5c58f15236dea71

SHA512
e4a7614af829e15ba70fd7e4b721cb3bcc40c518f67ce514c06947070866ff96ce747b9eb6d106dc88060f9daf3fbb72d7641080d2f74b685be7d9601774e1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
440b4a4635df7305201d3288a0bb227d

SHA1
a68c42916c53572b8d11cc7278b5afed562f9ec7

SHA256
bd0d62389556ba79abb3383d323dc3782287ccba6b7f15fb9726d4e71c18a3f3

SHA512
97809da40ee207c20de4e569edd94cc51fdcebafab3aa80c56c8e79f667ce743cc058164fa061003b8352595d0cccab1950b2abc0faf00086bc24172dfe7744d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4872_1543153755\8139a907-f58e-467c-bbc0-911177bd89cd.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4872_1543153755\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
\??\pipe\crashpad_4872_FQLGIXVZZQBRHMNU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit