socelars | 3e34305f5b0d478a3c8069e0e9526fcd371eaf1721dd0d6673de34afcdcc9317

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Size

1.4MB
MD5

7bc806fc29fb3f806363e63253016623
SHA1

cb995de37d8edd2552c9682af54499de55b791b8
SHA256

3e34305f5b0d478a3c8069e0e9526fcd371eaf1721dd0d6673de34afcdcc9317
SHA512

51c2e6e01e40ddefcc86098e0f7fb2e19a7020e966f0a2ebd0882742af7de11826e614ca84675e3cf555421a08f337d9ae2ffa6798c5de902426db6974f0a908
SSDEEP

24576:zJSLpwfVWRh0SGQ48Lm2194mKa4qrNdW9NTPjaBUqBbEH:zup62ESMTjTPja2qZE

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
8	iplogger.org
7	iplogger.org

Drops file in Program Files directory 10 IoCs

Processes:

2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2108	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776361222076930"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
116	chrome.exe
116	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe
2856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeLockMemoryPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeMachineAccountPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeTcbPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeSecurityPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeLoadDriverPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeSystemProfilePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeSystemtimePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeCreatePagefilePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeCreatePermanentPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeBackupPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeRestorePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeShutdownPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeAuditPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeChangeNotifyPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeUndockPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeSyncAgentPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeEnableDelegationPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeManageVolumePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeImpersonatePrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeCreateGlobalPrivilege	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: 31	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: 32	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: 33	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: 34	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: 35	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3620 wrote to memory of 3404	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe	83
PID 3620 wrote to memory of 3404	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe	83
PID 3620 wrote to memory of 3404	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe	83
PID 3404 wrote to memory of 2108	3404	cmd.exe	85
PID 3404 wrote to memory of 2108	3404	cmd.exe	85
PID 3404 wrote to memory of 2108	3404	cmd.exe	85
PID 3620 wrote to memory of 116	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe	88
PID 3620 wrote to memory of 116	3620	2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe	88
PID 116 wrote to memory of 4116	116	chrome.exe	89
PID 116 wrote to memory of 4116	116	chrome.exe	89
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 4616	116	chrome.exe	90
PID 116 wrote to memory of 2016	116	chrome.exe	91
PID 116 wrote to memory of 2016	116	chrome.exe	91
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92
PID 116 wrote to memory of 464	116	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-02_7bc806fc29fb3f806363e63253016623_avoslocker_luca-stealer.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7fff84b3cc40,0x7fff84b3cc4c,0x7fff84b3cc58
    3⤵
    PID:4116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1744 /prefetch:2
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3152,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3844,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3888 /prefetch:2
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4700,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
    3⤵
    PID:3344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4964,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
    3⤵
    PID:3612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
    3⤵
    PID:3604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5152,i,11379054311194276611,1851081910228840879,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
b73f7879c2ab15c2b4db47b53f7c6ea3

SHA1
0fc46255657f89544379b5a02ee9baadf7e71bb9

SHA256
fbde28a15fedb8da61d9c559393b8d176a1a07061d80c3e6a3ed7bdc61bd5a20

SHA512
e71ae2c4de5de1c058f6dc295a5222a28bfd7ffa80953ade40b5123491d5d81984ac4cdc86d3ddf7f4d60e7feb274ca7f964ae70d0cc027f4f9b2ff57bc5dd9c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
44e444c6724d96d798766b461251aec7

SHA1
fd0b4537a363c60e18d092a269f689bce08ae0c0

SHA256
79f417e38aa74a3c705bf795c37dcadca84e7e55dc9fdf124c14a1cc11284327

SHA512
b971e78d4e1ff74f2e6000e39e332df0a510d1e0698a560b7d19cb95da9f45d256ff2c4d5dcb7d113c5712844940b3531b73687f15e43c2619299a1a4fe4af9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4fca18b9023c7ca9797ed001f9efdb8d

SHA1
b860aa2f1815682a1cf7f0e5be98b68a76f8161c

SHA256
3a92d1693755ce047b647c1532dbd051b981fcfde8d6f9a655baa43ab6cfe625

SHA512
98a41736fb4b70172e38fdcecdeae6668c22372c4f3347539d3d48ae76f778c9df9813f36b05328c0c9f30b591baad970589b53d072b81f8ecbeff7a8dd1da7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7d7a7b095d84d95d09e2d668c50eab47

SHA1
51cf3e539d571b0fc05c05b70b2b57d2a24daa6b

SHA256
93f372ab4a20c40ea763f8c45c44dfa9a6783f14303d6bea96eb127335d1ffa3

SHA512
84090bcb7364663d557b4ccee6666907725a6ed3a044f4b1d597eee09fc82f5fc035c35643981eaf484e3268d1b965904ab7409f01dbaf0ca7397d7ca71d9161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
adf6c07fe709be9a245e484e68160cd3

SHA1
0ab9a59f9538ae76c3f013974d5efa6c677e63fc

SHA256
e55df32cbe4ecc2db3107db028d63d3635d44b77e97843167aac6b4769672369

SHA512
7f8e8c1a5caac7af7db0d438fd742b4fd178bb622710c53492030c6de67afd46a597d3b0d1fb3fd82485cec90b81ce6294fbd3404c1113ed79a1a51075776aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
85a3ab9753900be32f3aa4ad7ffc996d

SHA1
e2ffe8ef092e40b40643d7cd100ac008cb057877

SHA256
3b6e3dbd9117339cf572ecf1db92385ed192bcdec9c696ff784006d62ba46bf9

SHA512
4181c17d91adfe3a76031ce1fc730a5aa4b9781d26af9b9650b724b0794e4f3717379d89c431974188fc49005a8c1cba770edb635144d6be1eb802cfdfb9eece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
42e85156bd4c6cf171a5d1029cd8a6be

SHA1
2d8fc9ad820efd3f621042822d0dbfbac4ded0dd

SHA256
a8afc8e8edd8f2eb8bb90f31371fde340fee9caaff45dd554e45b85e3da3958c

SHA512
3929e28dd22cbc2c2af61d5fdf68c893ba10055225c5d10c3520a2feefa70d0502874b02fc78373afe495b644284a125f4a0d580c90a36b45eff74fb8efd0402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
928f31f2cc97ca487c7baccec7ae61c1

SHA1
9ad6a38d09186fc468eb78f49862ad294487fadd

SHA256
cbe35046092959dc1efd139790dfdb6763b740c2b63dd93e1de4d3847c6815bf

SHA512
71bbdd424e60cc3c09925070677b8f6e0e64d49fe37b99b1ebf28219fc9a0925bed38af6d95351eb58f48d901f3e71474d488b2887e1dfed2f672c4bed0abd92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d84c53ddaba10be6e48b2dbd85030485

SHA1
9f1cbba8ab13e39f24a16dc5241880ef898269b0

SHA256
e0fcc28d3147428993532c46a93390ae920a1943ac73360e19d57b812c2ad8a7

SHA512
10cac924f1ce8659291dcce59c683a9e67dd930f78e658c1f255c77789b681efdda83f7a9b45861eec5d55deed1d9c5d6f2505349dc630fede1170438edad7bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b00474f1ed422ff87b22f53631bdfb5b

SHA1
4d9e318c6e1f3ff599dbe0317b833545f10d1a30

SHA256
54f1e88aec8af1b676d88370e95a38170de2dbd063cdecd19a5e74a83cc71727

SHA512
c9a858c023f0a0742dbcba790e096cae6378dd33d93b502fbcd5a1f17e56c6fde7e51057c808763042a89ea80544b06954227c4d69e4d48cbd27986b2b581972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40ce91d4ca7ce9743aa3778e91651d85

SHA1
dda6b61e1143227f684fd0b12f948833f9ce4b55

SHA256
8005393f0420ef715ada290824fda0afdf55e173ecd5690a93fe58e487a63b22

SHA512
1747d014669972fdaac34f0fff36476da0931dd0a220baa2b80da0a4d9fc4fd890d3953bb0fe970b8686c956befa66cd8fddf5e4bd3ee43093a85d6f9d9a606b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19b1ba1e2d0f14a221d3957375ac7988

SHA1
f5f744e526a0813d42892c7f0de2ef0633dd3991

SHA256
2412e1e8c55080e32d44185522e46a730f4fbe0fa569ab4c95103b03e15ffa74

SHA512
4acb8dfe3f3309dc24ec27f58ab7e4112ccd1756d598e29ded50c50ca4a62ea1dbca3e6fee7db0a3f7c77a301f0684511e5d0144fbbb8d6c329267fcff173faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf1e88a30391faaf2b2c3ee0163270d5

SHA1
d975ca4b04a8b0d15edcfbec0c1b7f6d8c04619d

SHA256
fc90a1b59eaa6d72279100c36b759bc11726f79129d7a3a9919ede417794737a

SHA512
f7a056453e1f743f37de7748a0918aa228544c6c9da53d31e7aa70edc4c74d7de3cd8364e7bc0a90837991b1f1e2704072e0968f1f4a12d4068ccfc98c13f4b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6d15d90fc5a674a80eb47f113ddfb85

SHA1
b7bd60daef43d1d0df822de3ea1ee50cc359f988

SHA256
f91baaeb84d34ae3d25e3a8f8c811519b81cd76e231ee113daa9095a0206d408

SHA512
0640b3534cccd174ae83a2a4e5ad674e24af128cc398386780922fa89a00473f0666a35bbef00c1b2e409781e33bdc5eb6287eb0477b615903f106fdb6d9c475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b20dae5b091077187d7c41ff0d95ce8

SHA1
e569111c26f634606492533b894b7747fc279e09

SHA256
3b8f12e28a396bb954b2453a5a26735fe442bb8ef9eb392889f7b27dc2846f4d

SHA512
6e4cbbd6562d03b527bdb0ab9bf89f717abb803c9b95091956830bf62c05619cea5d17ffdef6095d9b7ad91315ce05d55d788dd1ef4a894579056c064314ae91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c72818e23bc6df25476f699ea68ec2b5

SHA1
f544f00d9f1959016d965f55dcf3aea30f37da6a

SHA256
b773e4f532399adb9cd5585adfe588f3f41cf389b1934a6a14cf634113770490

SHA512
02ffc35e50343bc93007018ebda5f9e16acf1b2ecbdc6baf30cc05a57b700f26bc3c09fcb9fb30f58e638920bff40bc559ee1ad3dcf09166504ae5cad4178b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
815a65dad3c9078b3203627c7ed333b9

SHA1
0a86f5033f4d278c4807621dd834227f94dd9fdb

SHA256
57d76eeacfec1a94c03e0afdc4adfb2adb9ec2d8a4c200b3cf0ebbfefc94786c

SHA512
4dbde1cf38b1513df80beaf246f04a2a691718c26c695662a8dba963fd20f6c00c09d295afc095e479a5d6cc58aa3c74ac88f84a92f905c4acd95c82344df837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
f25c904aba694bbb1d5637ad56262d0f

SHA1
b59c4ad5cbf82f1cd6ff4cbfbff83857a8f19b5f

SHA256
7281fc6d7d678ee80fcde656d7be1c7dfaad08e4e95a108f59d9e832f708cedc

SHA512
a8a0554485494b06618b8bfe0597b69ad98f38fca28c3bfea9726a54c3c048e9e333cb52381e4f375665631c833d5e42cded03e0b34404acf0ffcdba0fc2220f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
9afe096e54f847a80d70e1631df2a8d3

SHA1
286e4371c17d4769abb11b45cd8c09b8a136cc90

SHA256
4e3e42a7642dadb7b4746b49af59618f9cceaff813815380d0dfaf9ca16b3f7f

SHA512
33e6cc18fe8708982e02b781ba2085862abfaa17d4e5c59d64f0e3ae9d848271357aee95904373dc80978f932a437234a90413a84cf295e23d2ec51d8e850ec0

Download Submit
\??\pipe\crashpad_116_OYWQIYQIIIHMEXNB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit