socelars | 83008b5d79cd91927f152e4da334ecf90fc6d278ef72b1a5a90cfbd204c57e65

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Size

1.4MB
MD5

b7b097c90a2ca190d554090898124dbf
SHA1

690ded9f6fee3fec8c3c7b5520a24e3fd8d8ac2d
SHA256

83008b5d79cd91927f152e4da334ecf90fc6d278ef72b1a5a90cfbd204c57e65
SHA512

7b9a44cbf32eeab52339bde433550f0061e4b8346871635e9898464e33df46788c7bc62682e9187b0bface8f595180f2b5dcec47d519fa7ed26f4d0171df0406
SSDEEP

24576:DQpyBPGxrdclka3bP2WwgTKbgtD8rs1gPPKe5pqBw:0pcEiKdaTmPPKenqm

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
9	iplogger.org
10	iplogger.org

Drops file in Program Files directory 10 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1416	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776372796224604"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
2460	chrome.exe
2460	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeLockMemoryPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeMachineAccountPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeTcbPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSecurityPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeLoadDriverPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemProfilePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemtimePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreatePagefilePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreatePermanentPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeBackupPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeRestorePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeShutdownPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeAuditPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeChangeNotifyPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeUndockPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeSyncAgentPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeEnableDelegationPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeManageVolumePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeImpersonatePrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeCreateGlobalPrivilege	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 31	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 32	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 33	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 34	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: 35	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe
Token: SeCreatePagefilePrivilege	2460	chrome.exe
Token: SeShutdownPrivilege	2460	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe
2460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3736 wrote to memory of 2340	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	84
PID 3736 wrote to memory of 2340	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	84
PID 3736 wrote to memory of 2340	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	84
PID 2340 wrote to memory of 1416	2340	cmd.exe	86
PID 2340 wrote to memory of 1416	2340	cmd.exe	86
PID 2340 wrote to memory of 1416	2340	cmd.exe	86
PID 3736 wrote to memory of 2460	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	89
PID 3736 wrote to memory of 2460	3736	2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe	89
PID 2460 wrote to memory of 4832	2460	chrome.exe	90
PID 2460 wrote to memory of 4832	2460	chrome.exe	90
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 2656	2460	chrome.exe	91
PID 2460 wrote to memory of 1528	2460	chrome.exe	92
PID 2460 wrote to memory of 1528	2460	chrome.exe	92
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93
PID 2460 wrote to memory of 4404	2460	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-02_b7b097c90a2ca190d554090898124dbf_avoslocker_luca-stealer.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc2ebcc40,0x7ffcc2ebcc4c,0x7ffcc2ebcc58
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:2656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:3
    3⤵
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
    3⤵
    PID:4404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3108,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3784,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3832 /prefetch:2
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    PID:3464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
    3⤵
    PID:1584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3100,i,1654832391514942404,10133416262582272672,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
13c7122b3581a8a39b2df223b4a3441c

SHA1
9985b8fba848794cf72c9b36e821721ccefbc00f

SHA256
e4e181d669ec02db24acf2d9222e56f76a5b9db4dadc4677ba0f099a162fd520

SHA512
7f8c2c65deb79af281ecbd73319c00b8480c916283b08f49099a03a2a0514ddeaa94c2f1d95ef0a2d096476a4b3b86c5770715d93373a36183733130b65e67c7

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4ea6b3c5e77fcc430c842752cd75f0bb

SHA1
585f066dfaf09ad6ae72e7ca493a8cd5ecde44a2

SHA256
451c2e22ce069a0467febe931b41c5ca8df7e98fc61b9c14c250ac0cea6fe524

SHA512
8c36a17b5b6d68eb2f1444784c5d7c7190c059d3d47c3220db26818ecf6dcfa6d381ecf78a8db2d254ed51ecfd0aaa123f1ff2535d50266cade6780b8773a69c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
48c6c4ca7919f58209b904bd4dbf717c

SHA1
1984ec414e3fdb89e709e2ebf4877b7d6808bd42

SHA256
da7a80259e9759c13275be9522a50b7568b2803e7bfea4cad7feaf1472370ce7

SHA512
a59aaa92db1d2877d8a579604cedaacd06aa423299ea5ee7f104d8fc336ec2f2a8443c046ed567a5f0032bf897547408e5ea503ed27a3ce54e3ce7cca70adc0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f826fdd06dfc6d1098acfc8123f52d6c

SHA1
1a77f10a77927d2d6c6a128df13d940cf838bce7

SHA256
0efa07b633f1a51b34163df701473203394e3a1ef36b2eca0dd54f93bb0ac9fb

SHA512
777a2e6d47fc56cade89822693ef3de6030132872c41377c509d3c7ab95ce5329de9c174958964da592affabab85cd10af982851beebfa00ad3139fff378852d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
04e0be21b1ec33cbebfeb65e56866c59

SHA1
fbd305d20f6cc6cbcc93bee18d52ac5aa6cd6743

SHA256
b053b968803ba377d198a32ac9aa5aea6bd21aba0bc0605db123c043811ce114

SHA512
5b56a54f290685275f17731b54f6e955fd5a6a0727613af08f995ebbd485e8f24383c45497fc480ddc9b4c230e01d579486916281e5b06ca151b6f0262171ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cddca27ed1c59101aab2577f408e3da5

SHA1
deee14495d720193cbde9d0230a853c1f513933e

SHA256
a41f9d1debe6416a893ef143c81df8226b02dd455c768aaca123ca47308263b7

SHA512
d7f9084af3efef4d7ad89923a9d1311a8a0eee93d8ec452f6ed9782459a1ddb87e15b18a4d4ad96ca1609008e674ca024432412fac18bad37b3855319c1a0dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
841797c16e5e88f6cb76b8dff1015c8a

SHA1
faabb06b42f94ada99c80296873b8f09b9e5212d

SHA256
9bae0c822ec9e72ccba21b37420bbd06db7c449b84c8f397466f30f453b45907

SHA512
c76cd273e98b0cfc22493eba0c26231c45154206becacd131651c0a76da7c62c05fb462337e445ffebcf3a6ce2e1f63fda48ee65e741ff8af14d26096f339242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
836fde124984e254d9574f08803b0d3e

SHA1
3f849c1e44308a2b30c7fa7410af3780994c9322

SHA256
f454cbc5cc79f08937b3ca13c9e7d10d0304f3dfe1144516e9cee718f18aaf07

SHA512
946474167e77bc38cea19b7ab9c5a9427f684bbfb3714cdcd1617db37d0d82756edf8403818367f5f5d4201c5107b564d7ea82ffea9d29877dbd77734bc87934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c9d4b22b50a77d463e620a4b2dfc67f

SHA1
5c7ece3a36fe3d3c89f4717b715edca76d56a853

SHA256
10c07e9abf559c6f556c82099f7b97580a3f7300d4bcd9453bc8a808624b3b55

SHA512
0f06b73d23b051d3e39ed0208014c53c6875b009fe3d1ba71669a4ee2905b1197b6382a7b43de8eb928eaf16f1733707c87b67e200757e8111b3409ed2295509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2b3d571a38e84d239c8ccc8c3b3b91d

SHA1
e472718f4abb0c90da8a86da7c8f9e05332f1471

SHA256
3d3cb7355e19d01c423e9c3973b20810bb24441d4f04754329e676cef959f625

SHA512
d45b13e507f9d4b9660f7d15221f80bc8fc9c0fe5585983c3406ce1713ac55a0a31737e8af676ea3a7be4c635d3c6fd976e76adc42f53747b67fe8b2285ecf08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93e91ac067441164765f599d31087ba7

SHA1
7bdd45c9d8d286ef401ace8a5d5b2e57f185dcfb

SHA256
9920106adfa8d8a1affb4751261d6bd9108872f7b8b7a69026cb3f716646c5d7

SHA512
c5e7c09abda372d04fc4565e8f9baa10689818756d919591f19aaaa50a6d7b34ad1e647e962fb2012cbda51d7071abe6fe9c3166ea993565c36e3c4c51d05c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53f1439c888f3e3a77eade51ad7bd8f3

SHA1
126290abd6c93d30cc83382a283404e0eaddc810

SHA256
ff6b0199198ec2e193a3cacd08e2dd7ef5068ce509bc7c7fdd915c0798271b33

SHA512
4f2b6abe4a4326216815f54fcc91e4cd2911f4febb6722d06fa46c36d735d3f6aad77c97cf6b1e10de82479c39adada4fd67ddffca6a0fb35f0289b5268fba99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3dfb776d2c3755474c6f110753263137

SHA1
1f4531c1dce6bb2f7baf314c52fe572163da2572

SHA256
2b8fd6ae79f2fd4838e162a73947e40596240b6370bc1d969ee88763a0fea880

SHA512
dcd3e2442977d0a9ecfdbd09d8fb95f6b44b6dc33caee9638787679774181f1d65b3e186e373aa2c3e0211c3a06eafd9d91456d9adbad2be8a2f5c1cf501ebb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8352ed5bbe3a7c0fbd94c2e14bc5de31

SHA1
615d9809bb3144ab25b4ee7568644bea36bf9713

SHA256
fa82205adab69607bc80a103488725267ee51f7bae8d6a860ab7f969b8b89308

SHA512
9cc9345e0591135e12308625c589d195ff6178276cd6245d43d46419c7e77165558de27fc05e3aab4214491a8fd7250bc5b9e1dc3cebdbe4fa988dbebb69372e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
ed61a5eb4bda069e46b4d008e579777c

SHA1
745ecef757321aef6abdf62e6dd496fafccba611

SHA256
27ba9053355114cc32b9e4d96a8de774032aa319596dc1c6effa0624e21fbef0

SHA512
77409a0b69a06ec4bb3be8b375bf93681a551909990ba05ae476dbac104db0c76f13997b53622598fbfc50cb241f6a989b65003dba68034ae77ba7adc31e31c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
52f34a942302fd240a1205ea58b1d29b

SHA1
a7b7e2b2c12b51cdd768fe8301426ce4a34c9aef

SHA256
51b9def827011da66c885d88a983f18c3f675a19d81100d8151473c4aae572b3

SHA512
99126c5dbe14cfb5f0ba27669373a6b8eb4bd38e4432dce36ba82272932f8272e350bcbd0d869503979b064d893bb780f08e6544455f33e63660c8a400756e56

Download Submit
\??\pipe\crashpad_2460_VNOKODMRCVQNMPWG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit