socelars | 83008b5d79cd91927f152e4da334ecf90fc6d278ef72b1a5a90cfbd204c57e65

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Size

1.4MB
MD5

b7b097c90a2ca190d554090898124dbf
SHA1

690ded9f6fee3fec8c3c7b5520a24e3fd8d8ac2d
SHA256

83008b5d79cd91927f152e4da334ecf90fc6d278ef72b1a5a90cfbd204c57e65
SHA512

7b9a44cbf32eeab52339bde433550f0061e4b8346871635e9898464e33df46788c7bc62682e9187b0bface8f595180f2b5dcec47d519fa7ed26f4d0171df0406
SSDEEP

24576:DQpyBPGxrdclka3bP2WwgTKbgtD8rs1gPPKe5pqBw:0pcEiKdaTmPPKenqm

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
8	iplogger.org
9	iplogger.org

Drops file in Program Files directory 10 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exe2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2604	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776365704768218"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
1848	chrome.exe
1848	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeLockMemoryPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeMachineAccountPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeTcbPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSecurityPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeLoadDriverPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemProfilePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemtimePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreatePagefilePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreatePermanentPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeBackupPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeRestorePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeShutdownPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeAuditPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeChangeNotifyPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeUndockPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSyncAgentPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeEnableDelegationPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeManageVolumePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeImpersonatePrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreateGlobalPrivilege	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 31	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 32	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 33	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 34	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 35	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe
Token: SeCreatePagefilePrivilege	1848	chrome.exe
Token: SeShutdownPrivilege	1848	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe
1848	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3396 wrote to memory of 3804	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	83
PID 3396 wrote to memory of 3804	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	83
PID 3396 wrote to memory of 3804	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	83
PID 3804 wrote to memory of 2604	3804	cmd.exe	85
PID 3804 wrote to memory of 2604	3804	cmd.exe	85
PID 3804 wrote to memory of 2604	3804	cmd.exe	85
PID 3396 wrote to memory of 1848	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	88
PID 3396 wrote to memory of 1848	3396	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	88
PID 1848 wrote to memory of 3128	1848	chrome.exe	89
PID 1848 wrote to memory of 3128	1848	chrome.exe	89
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 3856	1848	chrome.exe	90
PID 1848 wrote to memory of 4644	1848	chrome.exe	91
PID 1848 wrote to memory of 4644	1848	chrome.exe	91
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92
PID 1848 wrote to memory of 944	1848	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc6d03cc40,0x7ffc6d03cc4c,0x7ffc6d03cc58
    3⤵
    PID:3128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1340,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:3856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:3
    3⤵
    PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3104,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:3636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3844,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3860 /prefetch:2
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4668,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    PID:5108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:3632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5076,i,18281967905080639590,13281424328976775976,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2972

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
be76e65fcd8155956518412618ba0497

SHA1
cd18af69ecb79cf3a8fe8d0a05ce6b9e1b2ff8d5

SHA256
9ae2928db53a546ad1d3b3c0a5c96b7e76afe54aba7f4c5a3f1a0de6d1f7d2a2

SHA512
f2964ba77cbbba066879c6893772585ee5dcfd59c801289ad550fe8f3437e33523b8ef6ca0e84baeb8b850b2c25037b1740091865ac9ab3e83054bb32cd2fa03

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ff6ed37f0ba2ee77959968f5b99cd310

SHA1
ec612b7e2dc776dfd702dbcc98b13418014aa33c

SHA256
6e18c75ade04c7e69e1d6f84d9d3fd4ef5205ecd86c35256ce7dd94533b5e852

SHA512
17305488fa471b85b78648d3bd3d3f53685d4ac63831a8abffee0efc8d354df8e7fbb6967c20eb519fd262b710ada6ad1c03d6805fba0b5fa71e738922455bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
879ba3a304529dd10c46f84bb34fffd6

SHA1
17f2145ef3b2ef1f8f11cbd092af5658183c2287

SHA256
7fcf4c4c58cd9deead09a8747af800028915f00ca2da3830612a96444e00114e

SHA512
c0c34cf108070f7d0cc33d2641ed46ec53551b729c6c0000f7d1356423e690f34c2bc6c93f569644d7b3f952e56000578b3a84790f7d6cc9d172f28085c6e35c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9e22539adaa9d73e3ff3d61db22755e4

SHA1
831b67f73164d1eb0ef0de9ae612731901f89c62

SHA256
b3cdceaad47cd89704a42d2421d5341f84851d65be987e548238699ffe63f794

SHA512
97e700ed6b015f0496bd849b660b29b30447c16e5cbd4c7c223cfc5cae666aae5120613523d32a14acbb104a3704016ad6b31353cff3d40d2bf7c78de70e826d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e2949425cc007f8407d51ef0d0f9b025

SHA1
540c7aaa68a7e3b0771c10c65d9a22f965e0cf0b

SHA256
650da248536012857a75f696fdd44d62a88579121b9d9e9c9a67db1e1b0ca472

SHA512
7cf816fc14372cb4267b7707b7f6d2bc38bbca019915ec9bb3cd2a12cf5b43eaceadaef0f0ab907d9c8e4153a80023aafb1a4b029799ffa1efc077366b29f7b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e2c4a62358097a48c2881c3f49964fe

SHA1
53caab7d01c7920711d889c0a4407e569ac9b9de

SHA256
4053657af8dc56518f2cdf885be3e87a7034cc3a57f66d16380a180704df2283

SHA512
8695465ed6ca3bfefd33cd66de6783d2ba4b186c257942a9a6b4f34b4b9b1ffd753259c3fa677fbc6020dd101a69e18d665828e2aae2f7d46a7288c88a4c70c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
515ee0700954db36f0de433aefe20d05

SHA1
24d41fe1b2e36a91eb7b712240eadea5ae831976

SHA256
c2260dca4c8265240d155f8f4355322ef270e40b76a763893b00552916106095

SHA512
c69297fd78932d3fb8b0f6aa0422c162777a84d418bca680bf0f521c741de83d62203b6c5de1e3b907f5870bd706a462725426a8ae18ca9dc41e85154bb04896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
60c48deed92ae226144d221741c93ce6

SHA1
c2271cd49736fc31bc8a31bde4beb5e341fada03

SHA256
2544c9591e669db4fabd9784660d2ec4f443253e0f288045c482c9f7338347b4

SHA512
2c63fdf271467c43ff0e3b8c76d04ca56c8e81e0b6be8d2ebe026c80ea0e61d16fce2da61447213acea34c01c9b6820862afbdb586de15f2c1cd51b69f4a87bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb90c832cc87c26af768853680c9d0ee

SHA1
ad90807f9822085dbbeab363bd2b7f9b517c9c24

SHA256
ca5d538fac5bdf2b863430c744ef1ce0638a17ad0d5786c30c746068d34b9729

SHA512
c65d9005e81d574ff81f36b4088042e975a72e277503ce70093cd5d61bb76c975701bcf1e36a900ebee6da46875c5e1e761dac3593616e71d72fae2deed8467a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9edd0f7e1de32929d1d0c6b777dba68b

SHA1
a79b9ff1e39710a0fcf3e7d00e2ef52d6cd0db7d

SHA256
e9be5dc07274e971d05101a7edbcb12db9031cd50ff99f1d8ea778394067631c

SHA512
3f6307e0847b7ae5b9d31ba6157df5489bd5d67f143e96eff504db3bd0483db07e226ec507cfb8447fea50f6c7a91a78f0cb86cb86443ce7a925c6f0a4610e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2525dcd8b27d793e453a60232d0c1f9a

SHA1
c512e524230263f44a333a436939e1c01c53eaf2

SHA256
bf7a9e6957d3db093d9cd919cf988f7da7923befa3c86cd701701170be97ebd1

SHA512
f78f9450c2cfbef4ba98a2d7c07e33a200ad2b688e2c116c8b2592f53eb461b957c15aabf7509307963c884c9082f6c757897c99b6542a037a9e9671d3e2c62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7aa614c6a50056b598a3ea9ad641e15

SHA1
098ee751ec8c6924518d586656e2957d14fce98d

SHA256
87c895fdbb14f8b563fbaddc5b7f8b9c01cd35c60d1b54fe11bde92e14dd494c

SHA512
037fe00611b24c83dc53f1db3111e5340201b99d76eb84f7c5ae6bf7a37bf40f9bb5b2ee256dcefb26f4f46eff582fc6ad828581a6cd78c2288a29af4b1df680

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27b336c5a6307d0a6366e0f6c2432493

SHA1
35f566d20cf051a0fbcff8b62dc79a926903cbb8

SHA256
47a30ab3a791605a33a43588b6311e69493eb91ed41fc3372085f0ec48bbf597

SHA512
11ffe76974343f6188af36766a9f13c50efa19382ee02c57409d8756e1f5f14aabd4fbacf9d1df04ff6c25801d3f049db309273026683a41962edc8bb2d429a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
841fbb991b34619c0cfcf3f048fbe78c

SHA1
1bb40abd691db72ec7376c5dd3e863674d2d5bdc

SHA256
2df966328c331c65cb294c019f81ff42f4611f2938abedbd5fea152b6a9fa680

SHA512
2f5b0b68d94c043d3b7b11778b15bc77cf7584b66475d0d2a323cf445ba9ec24c34cd62ad3dcc3bfc5a25ca35b986955cb4b32d25008b0240263bface8dec0e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
375ac6c50f1ca75e199f2e048d453785

SHA1
354de9e95ed820ccc24f5f1e595f285193d5c2c1

SHA256
9d8517e58b6d7b8a206a330ecb891cd8473103c3fb1066374f690a01d3a6a57b

SHA512
4325e8d95bb248dff8eada9765f401697f28bbbe01ece940c9643478a6d7d698567baf6cba9da65e41860caf62339faa4ad01ab4002f9d9f239e8ef0c02a9215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8352ed5bbe3a7c0fbd94c2e14bc5de31

SHA1
615d9809bb3144ab25b4ee7568644bea36bf9713

SHA256
fa82205adab69607bc80a103488725267ee51f7bae8d6a860ab7f969b8b89308

SHA512
9cc9345e0591135e12308625c589d195ff6178276cd6245d43d46419c7e77165558de27fc05e3aab4214491a8fd7250bc5b9e1dc3cebdbe4fa988dbebb69372e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
f980ad3d962b869cb0abfb1fbcf8d902

SHA1
9d7a9f0cf68d0fd1e956d9bd4888e85911d530b9

SHA256
0c8bc57c148515d2700f26d09ae08e2097e947f69ee536953b654ae2c11d6b23

SHA512
0949d5800dfc70ebe7bf8228bf4a0efd41f61d97cf5f6a2869fd068cffdc9c6c063be6d2a6273580a3ed38b37770e62caf97523ce71a85840ac0348f89346805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
b819a066419fb18c932c850410fc14d9

SHA1
02a52c61d023d44a38c849b581612eb9ecc8de4f

SHA256
5c00e189c0c4b556158d8aae16b66127bd9e7faed700b23ca0017b60eb8d05fc

SHA512
d5bf1651cbe61202c8fd0e569ad96112973a37d664a25ced583b1cbd5e086e5092f8b040125dfb2cb5092952abc491b3e295e4c841510912b28878f07728b9f3

Download Submit
\??\pipe\crashpad_1848_DIFMJKENOQVWZGPC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit