socelars | 7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Size

1.5MB
MD5

d6d65fc0f7242f733f0a816801a55ea4
SHA1

fcead41360485582a21570431f7eae38265a6d0a
SHA256

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447
SHA512

80626578b563b73ef02f3c0b08c4e1fb8af2dacf9e5e03127af444c3803b075a2f21525cb26f74893abf239c6fc1dab3dee81c99f06223465c6a296b5860d898
SSDEEP

24576:0xpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4GZ1mV06GYp:kpy+VDi8rgHfX4GZsV06pp

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
2	iplogger.org
5	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2864	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768344114750375"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4268	chrome.exe
4268	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeAssignPrimaryTokenPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeLockMemoryPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeIncreaseQuotaPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeMachineAccountPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeTcbPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeSecurityPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeTakeOwnershipPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeLoadDriverPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeSystemProfilePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeSystemtimePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeProfSingleProcessPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeIncBasePriorityPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeCreatePagefilePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeCreatePermanentPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeBackupPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeRestorePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeShutdownPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeDebugPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeAuditPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeSystemEnvironmentPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeChangeNotifyPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeRemoteShutdownPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeUndockPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeSyncAgentPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeEnableDelegationPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeManageVolumePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeImpersonatePrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeCreateGlobalPrivilege	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: 31	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: 32	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: 33	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: 34	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: 35	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe
Token: SeCreatePagefilePrivilege	4268	chrome.exe
Token: SeShutdownPrivilege	4268	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.execmd.exechrome.exe

description	pid	Process	procid_target
PID 4872 wrote to memory of 2764	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe	82
PID 4872 wrote to memory of 2764	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe	82
PID 4872 wrote to memory of 2764	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe	82
PID 2764 wrote to memory of 2864	2764	cmd.exe	84
PID 2764 wrote to memory of 2864	2764	cmd.exe	84
PID 2764 wrote to memory of 2864	2764	cmd.exe	84
PID 4872 wrote to memory of 4268	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe	89
PID 4872 wrote to memory of 4268	4872	7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe	89
PID 4268 wrote to memory of 2644	4268	chrome.exe	90
PID 4268 wrote to memory of 2644	4268	chrome.exe	90
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 880	4268	chrome.exe	91
PID 4268 wrote to memory of 32	4268	chrome.exe	92
PID 4268 wrote to memory of 32	4268	chrome.exe	92
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93
PID 4268 wrote to memory of 3968	4268	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe
"C:\Users\Admin\AppData\Local\Temp\7203c67c28acd26ddc7f48befba3e309a8daf03132150b510c35ae799f77d447.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f367cc40,0x7ff8f367cc4c,0x7ff8f367cc58
    3⤵
    PID:2644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    PID:32
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
    3⤵
    PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:1432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:3240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3124,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5100,i,2666349925402213287,7894938607315883336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4176

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3e14e8fefea78eb1fb130b4415708120

SHA1
120d51c25fede847dc2bf9e8323f4021c786d778

SHA256
23867f700f7df1fe9fc5efc24480853588ad6d1afa84bd402fd3b824a2028ad6

SHA512
02f8ace20e062a1dfccc735e91076792f6ca8eb38181b631f8427b6e040fd9821644adf49368e75c9dcbd3211eebbe2d4e84a07f8223e582385657daa84b668a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
382715e6c50066d97df753f25899f3a4

SHA1
0292a0d4b649605281df04cf837b5a2aaa709942

SHA256
eb8c769145358bde8618c674e7f4e6db2a7b1a9cbe8dcc2be2abec6c61b92a70

SHA512
405bb19fd68fb498dd7c75aeadbb7e6277b92792be755882c9629f2701d9aaa18c949ab274a14afa874412a0bc8c0414c167653b26f24db8ab8d151316a563d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ae05ba92c2e161a0cbe43f16f700144f

SHA1
76a7e6bec4a1693212c0c835c600ffeae38a55c6

SHA256
9ed6925b93d3b1c9748bca3917c291010947787f48bc14d67e8650a5573421ab

SHA512
0445fc9f9bcaedb61e2265510a77754c64d850660f51230420166f358cdc5a95e3ebeea82a02f12444851891212eeaa9731753f6f8d1c5a0d664337d959bf143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2389352b36b32772922c72adb5b92e90

SHA1
a301a5c6541e5cac4dcfd3682e17a559fa5f2ceb

SHA256
c2ec00e1045cf1c5a403eff6b18880fa3a5de5ce2904d723d302b77ede0b6bd0

SHA512
429f233950b7efc23c6394d9ceeaea292f6dbf50ef6486e08d16c7dcd5fb76ba5e8ac766c32d1ee87379f29237bbdd38a2744df335fdee652c1b228eb5f498d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97ef78703f9b6c55bc9274eba7736363

SHA1
ea16dd820b802c5fd750dc968511d7596cad87f0

SHA256
c159c50cb5cec07aeab3ae6e7305b7a263ad4547a181bd44706f1f4e960ddce1

SHA512
827fd540de7d12058b5959218ca31a00470e77fcb4c92501de201f8addd56a8fd6decb172d28ddc68860dbd6f1653266c8fa1f3a3a433cbdaf0002079fe0eddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6947a1680b1a3e32e998b83403951ff1

SHA1
e471451878fea095ca0b03d82ae3898b656e7132

SHA256
dcf57ae297a903cea3035702a5f97a3e3c313e1e837dfc9a4112e44e22f7e496

SHA512
ed82db8bc439e0547bce941c22b06aa6fc01fba77998513b80dab5477e0bf6d2a4d47df7cb441ec76c43f8366a2e79f7d52c315dce0743977ec19ec31cfe1e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
466ca5b6ce5fe3ddf029702048ca2ea6

SHA1
8327fc633960645f52e754b3d9ecc446e4f3053f

SHA256
502d0ec8c2193bb9ad2fc1352a2e1897ebb12a9c25ae5e08134152bdf5658a5a

SHA512
f8e746c1bf17540fc550a30e8117a2b49d5b1ded97f405a2f022c356d3b6a8e1066c865588b3fc62fa209949ce72c3e51d892af3f861a37cf0da199f1e936d18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d310189925bac7cd6c41e2cf0d606db8

SHA1
6bbc9352b71e6df5c2472455ecb433bfec337cf9

SHA256
bba1d8d5248bf72e857dd3615f05ce6a795ccd39298c59dccdfc6417081cfafd

SHA512
9f893a13ea363159e9a3aa120c4a16e0ff7856a1a6621e591c3cb34573c133359dcfc995b321c2d9decb4c4bc8a7ec086dbb697e6367801db9b1846fe8d08e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
4e52a7e6ab05faaaf0e0c605191c63e2

SHA1
c464190eb817eac2de38fa811d0d0772fe8f5d19

SHA256
c062762a6f174bfe3bf436cee08376113d2fef597ba32e583e1c54c2c5e5eac0

SHA512
86107d0c56b6130cb56e6814e6b18f7790ba0398b89ec13203515765a84f4acaa360205fa253439084affcfa7ea38dbfd073249c7c5dd9d12e921e7a582ec0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
6a240ca8b9d4fe747576f61de5d00547

SHA1
c80b5ce538befb8930c70fcda1de830a34dd1a1f

SHA256
86ea44fb6e9b653f732c3c2ab807013d76632c3000b556a9966e585505f8cbf9

SHA512
6cbc6162d8f9cbad3a1f53e3b21ed9cc078c39a410dfef6576a49bde6a762f5da4f89509de195ad9722a0ffa5dc71407459b048987b18b2107b04a5374f767ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fe9a1c61-40d6-410d-9b3c-a0a5caa7eda2.tmp

Filesize
9KB

MD5
1b43da2476f90327341f11e62ba5fa9c

SHA1
50492c43055167a786a7c107537af56e4af25b9f

SHA256
c66be7665d36f13eaad7ee72dd0fb2c7144488fbe69c6668324e438a9600ae4a

SHA512
31851d3d355e0dea18017f639e10ceeccc791bf75dbb67a2fc383e7e10b9a74b8d3d23263f8de2ee7af31d471d2b316335b67ac18f0ee8a051308ffb984a3ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
3facbbe2cda49c126fda0bf75848f349

SHA1
25fa85dfa2a2a60f6626cda21b728502a16fd452

SHA256
6ad370e5aad63f3e987d981f71072af10c32d03926a07df0d9870729e3b297a6

SHA512
52484825ceb039983dfb3f6aa089ad350d8e6130dfe97283c5e01be390993c278e7b1266c4572a5c7a6c2447ce5f5f02eeff47b88cb9fd5db9aa49150699a701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
3838653d2a44abf99849f0d36f9b2a0a

SHA1
77ed54cd9f92638b3f0ccee51381b74726f3d0aa

SHA256
b691a2f0dd30dbfd15372980dd7950cce94b42030d9dc31237358ea68d278891

SHA512
366e9af91e5e831eae64416ff456a79665ca75103c4381a44efa5d3007b44ccce326df7b841f3fd9cb103a845b942df98a5250b4012c7ecf2c984e61353bd617

Download Submit
\??\pipe\crashpad_4268_FSMJMAHHFXNTHIJB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit