socelars | 27703d5957f0113ade3d59b90e5f8ea36806071ee9812a26d1aba7cf08161916

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c952867359623ccc78d72fae96e682.exe
Size

1.4MB
MD5

55c952867359623ccc78d72fae96e682
SHA1

82e880ab8a7f6af15c384b29d69987d291a9a40b
SHA256

d1e7582dfb720d397e34892295c733b2374b7c32cbaea6fca682760c08c1b178
SHA512

211f30a22d7ee07aa66860e20a54fb6d9071bd38d650b55f7d79c15f7f3dbad69d165a3b408de1f224b1aef2629456dc7eb326c48e0b803e1b37c9615a8fe259
SSDEEP

24576:ucprkvVNj0ipxVsvsx2iBY2da02/y+AUDnEQm5n9DKsNaTh9N:jpA3Thl2acE95n9DKsNOh9

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	55c952867359623ccc78d72fae96e682.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	iplogger.org
26	iplogger.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55c952867359623ccc78d72fae96e682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2444	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133794359709562392"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeAssignPrimaryTokenPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeLockMemoryPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeIncreaseQuotaPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeMachineAccountPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeTcbPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeSecurityPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeTakeOwnershipPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeLoadDriverPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeSystemProfilePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeSystemtimePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeProfSingleProcessPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeIncBasePriorityPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeCreatePagefilePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeCreatePermanentPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeBackupPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeRestorePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeShutdownPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeDebugPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeAuditPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeSystemEnvironmentPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeChangeNotifyPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeRemoteShutdownPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeUndockPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeSyncAgentPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeEnableDelegationPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeManageVolumePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeImpersonatePrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeCreateGlobalPrivilege	4272	55c952867359623ccc78d72fae96e682.exe
Token: 31	4272	55c952867359623ccc78d72fae96e682.exe
Token: 32	4272	55c952867359623ccc78d72fae96e682.exe
Token: 33	4272	55c952867359623ccc78d72fae96e682.exe
Token: 34	4272	55c952867359623ccc78d72fae96e682.exe
Token: 35	4272	55c952867359623ccc78d72fae96e682.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3504	4272	55c952867359623ccc78d72fae96e682.exe	83
PID 4272 wrote to memory of 3504	4272	55c952867359623ccc78d72fae96e682.exe	83
PID 4272 wrote to memory of 3504	4272	55c952867359623ccc78d72fae96e682.exe	83
PID 3504 wrote to memory of 2444	3504	cmd.exe	86
PID 3504 wrote to memory of 2444	3504	cmd.exe	86
PID 3504 wrote to memory of 2444	3504	cmd.exe	86
PID 4272 wrote to memory of 2424	4272	55c952867359623ccc78d72fae96e682.exe	94
PID 4272 wrote to memory of 2424	4272	55c952867359623ccc78d72fae96e682.exe	94
PID 2424 wrote to memory of 4192	2424	chrome.exe	95
PID 2424 wrote to memory of 4192	2424	chrome.exe	95
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 2056	2424	chrome.exe	97
PID 2424 wrote to memory of 1976	2424	chrome.exe	98
PID 2424 wrote to memory of 1976	2424	chrome.exe	98
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99
PID 2424 wrote to memory of 324	2424	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\55c952867359623ccc78d72fae96e682.exe
"C:\Users\Admin\AppData\Local\Temp\55c952867359623ccc78d72fae96e682.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb4ecc40,0x7ff8bb4ecc4c,0x7ff8bb4ecc58
    3⤵
    PID:4192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
    3⤵
    PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1900,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2032 /prefetch:3
    3⤵
    PID:1976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:4820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3684,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    PID:3692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:8
    3⤵
    PID:4056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5308,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:2
    3⤵
    PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4960,i,17960520386375168825,13356541283330413392,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1788

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0f478baa-028c-488a-b350-efcd0570598c.tmp

Filesize
231KB

MD5
477debaa3f99f428128fd18d25795cd7

SHA1
92b2c52b45a31456764c5bb4ea3e4dabe39f16d4

SHA256
c637f68befe9f49cbd23d01777d183ccffe4629e6914d38c09981396911fd1ee

SHA512
409dbe6fd476da0f3809470cd278c656d225de278fef57af55ea1366a779b5f3eb3625fec7b51c322693f51c516055624079cc90f2de00e18d594befe3a1c90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ba8e28563cc438b18ef200396c67492c

SHA1
198bd8581ceef9eb8fc3b10e300314b2825360d2

SHA256
a4db65a1704ca42bc1cb9a04d4bb37905c151774fe6019be53e89c8f24f155d4

SHA512
4f98ddb28f70d30570c3f223edf28ca11734cd0f7151eda478f4223dd65efd2120dd3757ef524aed41e3bc4636a627a3dda33f0fbf736cb3542b8a311e28c475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d58dac0147463a62aa361c0bee977b5f

SHA1
f0d324645246fab481b7230a2dcf2a7166e3534b

SHA256
5033642a6fc7a97175b340b54e1ceed8c24f4609604868089d140b6ffd7ee57f

SHA512
b34e2de80c190dc106f37601a9642002a104e5dc052c74a98ae1758484b574cbaca12ba88e30e62d28bba65c468b0ced432524f3df8210339ff43896536fec43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a18dc3284491f68aef3199184f09f753

SHA1
263686fe771a14aeccd1b5b0af6938d6c891a210

SHA256
bed4eeca3b4d13115c8e8a3caa4a20bd551b6f0c5789cafabc7705da04e877a8

SHA512
192b8214b35857131ec3a8f3b89dfec0221f1fa4625ced887a34621533975bcd2cbe32ba9e9e511a0eeac37a5d139cc25586b3869de4e9b33f39c768020511b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2dabe250522ae4a8f945f6f89eb52d17

SHA1
17eeaf620a8d248023b0f1cf9b3ccc0c80532c5e

SHA256
ac744177d5b61b2017287411a2a4540b2ad82c943dbedc3d8b5f19910a73ad08

SHA512
1d2b0adf435af9be986aa5c60308625012d740bff8c2f95b96e5210fbf5ca71550c956da613e443d4cc9af4d953104d9294d9a3812a9eb5f284f67e8a5ffe0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02ea7edba0360a5f687e6f0578c8b0bd

SHA1
a174d9b2f4638d80c80d89cc6d2106640d35cb66

SHA256
7fef2a7ceb37022725b6136b67ff71df0db623c8bc4379e8956e4609328d3e56

SHA512
ac83cafec329323e8a2cef34c9b5eabcff8b07dba388db83e5958f80636a716a4f8decbf77281fc1813121f3736a6c4b3367e471842ec5d505272ba8a15654cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc64fc33c7151f89f4942aedaa3cd913

SHA1
73ddd551de9e572a65ef58e19a1147182b370090

SHA256
21c56eb23841a2394deb2f9dfd40aeda5e50f38188716dba4523c78b6aec3a7e

SHA512
f8f343bbb96103569c33ed838fe963333a67761d70efd8dbe0b2ab6602dc5ce89a3daf3fa29722fd6cb8010c1b76a9b16670c47e02ecbc9debd8be1f7920fef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37de460c7e04480d0af57d80a1688fb2

SHA1
363c6b508aac5b8c04f156903424a0a78089d207

SHA256
26a6bae8ef23e372b91ea4f7738be6407bbc44f4ee265b44e07e7ed5b76cf021

SHA512
063c0055c104a54ea461cf1a39cffb56081ffc20e0747966ec079dc5690ba84171c3ec70b8683b58ff41f73fa6c19fb7c68141e955d3aade41b53de7634ef230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ebfdfa9ba99041ac8e1fc60409ef18e

SHA1
fa7cf73b98ce24a38932c6cb11c86d2334f6ac45

SHA256
05a395694343c53247036a4c4735965bb7c860440f5e8335489ec05215b33a9d

SHA512
03a567d5c0d7d8cae91bb672e7c39bfe9bf818d269da16e591c37f076357b8c86690dfdb82107d439e945393086559657c69e08de8e58de228bc9963a55ca20b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
9060fec9a53707c5a89f49162e2d9913

SHA1
2b157a7bef554305b6f6e0f98ead9671052f6d3f

SHA256
abab04c66d6c47ce3ad0f14383ce36330f149bbd8d63fe4324b8b9510f55c264

SHA512
9c1a3819b65e070a8dbb1af16ae2c1e4a37649b474cc2f7b0c0f22cfc5e51500b2afe7e9ce5796a1dd3cc66fa3686c6598d37fe13c6856ec849b87487aadf653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
75c6ba3a34dfb3b4065e9c9a4442cdcd

SHA1
df3e27ae7186547d246b0b3e044438f0f81b37fa

SHA256
a665a2e06dd96189e5949a331d48064454814cf5ce85769ab54b8deedcbc6597

SHA512
dd46ea33f1da7461eb268bcbdc7c1070f4ecb238bfac28a63a264700ee610a21f85c1224c5a7ae6b1eab02bec4878d68ffa1baff07fcf6f0a3872f464ee5c350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
24b43035215d4a10175b06f0d5de633c

SHA1
9cca94b3209548b0f6fe5e8e464babc62b634924

SHA256
4fff9f3deba9f4727027b79b156ec63495247bbd597fbb763515cd098e725c33

SHA512
164a204499719f23712ae964eb6de75064666683b51b5f46a71838dea31781f9ae6e84235b6df2d4f408bfe1be7ffbb04500c77708b09b3a1afeba112aaace76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e7153b13688f0ad40f639e4af4f99c65

SHA1
e271f40dc2eca1eded7801dde82ddc34f080f212

SHA256
c8ec124e8e1b3b72ddb391cb47248348d20bde09c82c0324d8271e91cd30774d

SHA512
68dcdad015128b81f7385bbb8c7a3315245973f6be9d9da62c3d16cf473ac1df35f0b08b80fc384f2c485d9fc3c050d284dcc3c94f9c30dff200544411064b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2424_1097003232\073ec557-888f-445f-8ca4-ce58c52c8cae.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2424_1097003232\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit