socelars | f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd78769f_Tue234b6c24d9a0.exe
Size

1.4MB
MD5

435a69af01a985b95e39fb2016300bb8
SHA1

fc4a01fa471de5fcb5199b4dbcba6763a9eedbee
SHA256

d5cdd4249fd1b0aae17942ddb359574b4b22ff14736e79960e704b574806a427
SHA512

ea21ff6f08535ed0365a98314c71f0ffb87f1e8a03cdc812bbaa36174acc2f820d6d46c13504d9313de831693a3220c622e2ae244ffbcfe9befcbc321422b528
SSDEEP

24576:M4UpDMuCSO5T9iKvkK1dA97hfNpZZ06nlvmp78nLBuzPG+7:AplyTv1gpJk98nLBuzu+7

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	61e74fd78769f_Tue234b6c24d9a0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

18 iplogger.org
17 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
18	iplogger.org
17	iplogger.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

61e74fd78769f_Tue234b6c24d9a0.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e74fd78769f_Tue234b6c24d9a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1628 taskkill.exe

pid	process
1628	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757802045549607"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3388 chrome.exe
3388 chrome.exe
968 chrome.exe
968 chrome.exe
968 chrome.exe
968 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3388 chrome.exe
3388 chrome.exe
3388 chrome.exe
3388 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAssignPrimaryTokenPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLockMemoryPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncreaseQuotaPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeMachineAccountPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTcbPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSecurityPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeTakeOwnershipPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeLoadDriverPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemProfilePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemtimePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeProfSingleProcessPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeIncBasePriorityPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePagefilePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreatePermanentPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeBackupPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRestorePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeShutdownPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeAuditPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSystemEnvironmentPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeChangeNotifyPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeRemoteShutdownPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeUndockPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeSyncAgentPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeEnableDelegationPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeManageVolumePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeImpersonatePrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeCreateGlobalPrivilege	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 31	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 32	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 33	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 34	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: 35	2028	61e74fd78769f_Tue234b6c24d9a0.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe
Token: SeCreatePagefilePrivilege	3388	chrome.exe
Token: SeShutdownPrivilege	3388	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe
3388	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61e74fd78769f_Tue234b6c24d9a0.execmd.exechrome.exe

description	pid	process	target process
PID 2028 wrote to memory of 2460	2028	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 2028 wrote to memory of 2460	2028	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 2028 wrote to memory of 2460	2028	61e74fd78769f_Tue234b6c24d9a0.exe	cmd.exe
PID 2460 wrote to memory of 1628	2460	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 1628	2460	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 1628	2460	cmd.exe	taskkill.exe
PID 2028 wrote to memory of 3388	2028	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 2028 wrote to memory of 3388	2028	61e74fd78769f_Tue234b6c24d9a0.exe	chrome.exe
PID 3388 wrote to memory of 884	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 884	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 4148	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 1100	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 1100	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe
PID 3388 wrote to memory of 3612	3388	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7562cc40,0x7fff7562cc4c,0x7fff7562cc58
    3⤵
    PID:884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    PID:4148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    PID:1100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
    3⤵
    PID:3612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1584,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
    3⤵
    PID:1264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:2992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:3772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5124,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    PID:3288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5476,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:2
    3⤵
    PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4976,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:968

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5964f5f2d0e635558954710d3f867140

SHA1
512a4f53ebc8ff37f6e14dfda70fff08e9d4bb89

SHA256
b1df549f1aa020420bfa1dc257731c5e3abf0debffe3702f8e7b36efa3ff1d0b

SHA512
39cc80a08aa7495f46ef83f880abf9c629f3a8da04f4e3345a007422385e5990d1b8c3c3bb0aae629f5c3ff06c75202764125736d283bd347912f8f360f4b080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aff45e6bf8f12b51f8e54810193edc28

SHA1
0d4adc9be2933ee03c6e66d03b22db5843ca6341

SHA256
195abaa60eb63528a2527bb8acc35a1a2fded1311afcac7688d66c0d3690d509

SHA512
610673ae66e68acd404504babc62af49edf8eaa59f640a8b286f60e6120c6fabb6d1d8466e3d19c975dd6c6f4adcb1a61821d105ed402c8d6e1e5278c793bb01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
90f1ec74cd654f43eecb0e69e584caf7

SHA1
cc50c7d68321d684498b870e52e84dffa993ded8

SHA256
94a54bb7a36ff49f25be45cfd5f10719819e97029a9a28c7ef1d486f88a6a57a

SHA512
cf460bf06d9f70d35056d9e975b74f565f2a99b8fed42c6161a12de8d7fb41a9d548a4c530bd3f106c6f6264b579a79f083c1333a083fa5f9259561f4003bab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05a22b071b1c7572bda0de48c9359010

SHA1
2fbc135044c9e6b58537fa75b4feb700168bf3df

SHA256
cfd718b36477f888153d062b36f5aee6c08d10dfc15102ce850a8b73050da831

SHA512
fea599f5ed803245e69bd9979fbc7098fbc70c4ce0ca670aff9f0f7c2979fae3504b46067cd6a04fd5c569fdd048d2d1c1dea6bc468b7e168931b80233c4311a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
887dc942eb4cda4bd40062d35a3fe24c

SHA1
2fbf1a941ff9dc7a089ea6e364afca3a58a048ca

SHA256
a5260642a1d1c7122f9d1d4e50957c59fa99d81d1eb811ab75d12444220def94

SHA512
258492ff31863668167e182c2f46e22351d45529ffab3da592188d9c942b4ddac65bc04bd811e4fb669d974eb40025a0357cb2d032c77734b06643a4467e06c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
624dc0ae429a967dfcce73b3174a8c6c

SHA1
765984c79c6077bc932a513d254241f4a5ec69e2

SHA256
26e74364bdcf639cb7865fafc76222171a9a4c020e325f9d07c086f4b39414b2

SHA512
47d2c2318a1eaa3d87b7990d36d905b7cf6c09f05355df10f547b3c98033c10bd1fad3cbb70f2f82bb687818255bf455b4ad63d7e32a641afdfd004d38bdd64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46d52cf4d5367b761e77d2931e253f6a

SHA1
4db539b10ec431d546b571357043ba9c0fffc8cf

SHA256
35822f0f7f25feb50163dcf038fda149df72c96e70a016c3ad95208008b28377

SHA512
01c63e0d76da3fd06264583ef01c255c51703a345b50e09670d1faec7d62aa1372e2af7c6ca1cc0227f5f03edfbcfea4b7cd7c4d17c5316cf3fa6ad919cc3948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
34395d0344d2be06ab1a1085cc6b6a45

SHA1
2da8f0671a6691dbe56fb3918d501673013e16b5

SHA256
6e27a467767e5f5b21601bf423330124129c3c50d47e20e0e7edb1d0668e7140

SHA512
417586c1615788d89ae867fa7c68e66565c21d9918f389c42abb3d8881ec0ee1c67963f32b70bc294d80234cb0c4617b2f951e1b3ebb78448e6b72035059f09b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
323a8aecb373992550d8f1fcadb6ce9d

SHA1
075e3542af7dbcb0df5d1ff1c9a21298f1348124

SHA256
decf401a1aaf084846d7e352992ae4440a4d98bce047d6acada838b15ff8d103

SHA512
34581cb860a13b40514cf265af4f03c2c0d751ed6486b473ad22a0d770f1442211b4a675b50e0eb154c95da3d5440fd11c10689d04eef19ece6ef88cf526db1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f4ec1678308895d14eccf7df988b2345

SHA1
0febda5bbc6dc851d51b8061db986c244b692b03

SHA256
43d80e2babab2dadcaa1f639df93a6f87cb233d35428db083bf47c1325d9d963

SHA512
b9e08dad63c94770db160afdcd1f3b1f25fbd4d43602940c04bcd10c37307e33355c5d7c189197e462cdb2afc9a9af78d80b00ce348278c0f32a390572fe328b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
933bff49d796f2469bbe787f52a8956a

SHA1
00874a997782afb4e7c814eacc4ef84d9c038dbd

SHA256
959ccfb78d5eb82a2d073c3a0f01cebcd62d30a18c12d2cde1045bf6ea373881

SHA512
54331bda770c89a68384941eb320be8e760a177b8641277bf6cbce44f8d853e70f75b105a45740d9501dd38f5297d7610b1841d02bfd0de91cd1e9393e3eae21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
4b2cdae7e94da2e0bd13e2e7de34394b

SHA1
58d1b03ebd2bb75e4b7bbcd31ed750feb9f82382

SHA256
c4e7867aab1a1e92677bdb8feee4781e3fb349ba551c0c8822a44f939ce97528

SHA512
19a63fe2997fc1c3d8974cb0ec7e667f28003b3f9110ac8954ce9acba6dbf34636efad6b408f6d18c27986dad0a7a244c44bd07be96e4252f468d90d9b919bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3388_844605549\72761e82-214a-470d-8dfe-8dc0bfb73bca.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3388_844605549\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
\??\pipe\crashpad_3388_WNKGZITEMVOSVTRC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit