socelars | f6171964b572bd77f0232e8788e3565bc5256fde6c251668205a56863c9c3266

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AXmudvi_MxQYK2Swucq9CluH.exe
Size

1.4MB
MD5

ecad37c9dbd960cae35da8c5ba2cba3b
SHA1

5aff572af1769d19692a9e25fdd5f180a4743fb7
SHA256

c136ce5780472330b6210c23508ffdacf4a6bd87931267a7e37b5fb940963227
SHA512

f2645dc3a0ca7f87df8258e65b25583686107735ff451e9ca2e44870391a26f1c985af2a16c895daa77e02a77d444e4f61c4f96d5fc6323e734609bb5715d033
SSDEEP

24576:KEpfLmZkUtN/Wy+jtYkQkbF7vZjHYdG/9QDkMhJgXgalJAiQ/X:7pylrKY2m4+7/gXgalJZwX

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	AXmudvi_MxQYK2Swucq9CluH.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	iplogger.org
9	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AXmudvi_MxQYK2Swucq9CluH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
404	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795251513974450"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeAssignPrimaryTokenPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeLockMemoryPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeIncreaseQuotaPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeMachineAccountPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeTcbPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSecurityPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeTakeOwnershipPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeLoadDriverPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemProfilePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemtimePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeProfSingleProcessPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeIncBasePriorityPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreatePagefilePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreatePermanentPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeBackupPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeRestorePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeShutdownPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeDebugPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeAuditPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemEnvironmentPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeChangeNotifyPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeRemoteShutdownPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeUndockPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSyncAgentPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeEnableDelegationPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeManageVolumePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeImpersonatePrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreateGlobalPrivilege	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 31	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 32	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 33	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 34	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 35	2656	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe
Token: SeCreatePagefilePrivilege	3396	chrome.exe
Token: SeShutdownPrivilege	3396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe
3396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3816	2656	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 2656 wrote to memory of 3816	2656	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 2656 wrote to memory of 3816	2656	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 3816 wrote to memory of 404	3816	cmd.exe	85
PID 3816 wrote to memory of 404	3816	cmd.exe	85
PID 3816 wrote to memory of 404	3816	cmd.exe	85
PID 2656 wrote to memory of 3396	2656	AXmudvi_MxQYK2Swucq9CluH.exe	87
PID 2656 wrote to memory of 3396	2656	AXmudvi_MxQYK2Swucq9CluH.exe	87
PID 3396 wrote to memory of 3896	3396	chrome.exe	88
PID 3396 wrote to memory of 3896	3396	chrome.exe	88
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 4016	3396	chrome.exe	89
PID 3396 wrote to memory of 1460	3396	chrome.exe	90
PID 3396 wrote to memory of 1460	3396	chrome.exe	90
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91
PID 3396 wrote to memory of 5028	3396	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\AXmudvi_MxQYK2Swucq9CluH.exe
"C:\Users\Admin\AppData\Local\Temp\AXmudvi_MxQYK2Swucq9CluH.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa04a6cc40,0x7ffa04a6cc4c,0x7ffa04a6cc58
    3⤵
    PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1572,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=552 /prefetch:2
    3⤵
    PID:4016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:3
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:2932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4032 /prefetch:1
    3⤵
    PID:4464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:8
    3⤵
    PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    PID:2784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5288,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    PID:2268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
    3⤵
    PID:3480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5444,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5528 /prefetch:2
    3⤵
    PID:4524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5252,i,8751938850674566659,376896774543896490,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bd2ecbefd20a2fd1b19c874149e33153

SHA1
05890bf7f29e959fca70edd870b5704f6b76edf6

SHA256
746b1b8476d7aa2f85e7ca35989d0224bf10fe2f873d9c04533f741909e0f7d8

SHA512
d123a43a2a9f8ee3ef0a5c65cd0c5fdc77203488395601938b9e954966974b055c4c3a390f8dd1f92b9d621a164e2fbb49e1faf25199504670b731da15c4e63e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81d24cc74401934ec72ec635ed739cf0

SHA1
432cb6593185f85bacb234b04c45fdc60a212e57

SHA256
74f7659c21cb6814e12eba80bdfc939bbdc19b7cd19e532f5a75f6ccfbf8cd47

SHA512
82268e6ab2a86671b33d384d985d0779d412e75372af1dfc27e422164751f7f2b01adde98809a4460cd6282cd49552421a687328bf1649449280dbc467c712a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bf57dfe9b07539342dc23110b675313e

SHA1
6e3473455be24bac3512c47351fc8c24b919784e

SHA256
6579b4e4cce1a98e3788fbfdc2d60a6858310299825139ef6557107efd37bcbf

SHA512
b7591974fb3b17373e5c3369ff42da1da565cdbd422b58b06a0cfcc18f21ec47d9a403f3821f37ee3611d42b81dc92231ab79b7569701d3f5ada8688e663ab3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a0cd0291e0f2c59fb626ed3c6e242d1

SHA1
9ad562de34b3f124778d2f95377d69ea413e56cc

SHA256
7194615835c56aca4808342b5f3741222f4f0dd0c4cc031162db8f97508637d9

SHA512
6b4c92edf888b9683340c978bc2b76e3c8e7727914e007977e3875f727441d33c952e6c73a94ad420d0c2626069e074f1ff567739d2b6d349c7ac627abb68082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47416d062d0a623f37e76df496776062

SHA1
20717030236db574ca5d7b04cee96e8641206746

SHA256
a6802873c9edf1a3125eefb26a921c75363ef9b69ac1fcc9d4c6e613dc26e847

SHA512
42383417f8dcc00a5266b93544c97e0e4f8985e60f0015ad1fc439823e06c9e4b7ab8663abd786089c61c15f305d05b6ccbd4fe9456dd30c58e4c802287d5ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8e42644ef22ddd5a1d3e12ca949c5535

SHA1
86a70a432fb754f7678ca4bae3a30fb6d42e7eb1

SHA256
41b6cac64e6b4fd9779966bc291e1650ea6d4f462621e0ec54bf9710638394a0

SHA512
f551a291918855a23f3f82e3a4c1acc945bebb0db812910df70e7f608cb3136050808746fbce57a5cfb1a4225d2742ef8675d82671c800dc0ad941db7fa31c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
09ed7abe7f53f088a521e8d81f6c3dc6

SHA1
d8b0fceab80957b44e24fb0f11dec0dbf8a944db

SHA256
0452f6ded757cc1b7cba91b9ef98912d44c33d8b3613c6901f997b4bdbf47b6d

SHA512
1c9ebefcc5512d1737c736a68c24cb9888018c65e297121fe175ccdc117999545742170ce04ddfa6812136636eb8c5c7b53b329a7719f6c406617c67770d3c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
05d80d3f5e7c3ff7316c4ee773f1151f

SHA1
15cab758c501b1c799716e2fc09645b6b6c93d8a

SHA256
6789ff3d0253129c11a07897594d264774c099f3e16e82771b84a808f53e2d6a

SHA512
840fce7af5f672061e193b17d8a8b3520e9f534e706bf7b93e0d2a6babb47c967a454c26492bc393580a5996d9d3792c93042c56530a8c4498bc8db427752ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
79b2ee69ed95c78ff9f30dd868d9144a

SHA1
1abb121166c31eb31a7dee06426a9f3409bb67a6

SHA256
79b2b527f0e5f5381db39f5de75d121bd6e87180a2d6f541f41880459a8901ce

SHA512
56b5034e3ca97bee8fe8b054a548e1433298a4afc0f2f1ce109d0eb6beab0083ac948de82363c867e9ab24637e18c727ebf6daa289e4a64f2e4cd7c981ab15da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
cd0b083760f0d5e96181051caec4d352

SHA1
03df6fe52cafbd3ff37cb5ea69f6e90768082bfd

SHA256
3e706ce057d6424f0b41ed89553ef0fee95810549c8c208031ae1fa1f9efe3ca

SHA512
744478671cc026a982e44c4ff0afbe3bc8be183500def8b6ed6ae7e3bb62b63d93972b233dd63b7d3812d013d31a1931a3d3f875e51aa29ba72b9dd305c35c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ca01853d929c43fac00aff344f66890c

SHA1
f45c2b8ed8057e88819aeafa365efb9ab44550fc

SHA256
cc7b775220a1e90827b81986592a0b9dd1f6f16c5c03d9e79dc70595ced47d87

SHA512
057098510a4adcacfb3e360a0e3b8e5a997d45d2baf0c56ca31e0e55a9c59abce148abb2b259dd6fb05eb2201c7e31cffc26093dc22e85a19d077d92471a9412

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3396_671497022\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3396_671497022\f9b7399c-3d03-42b2-bd2d-1763175119a3.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit