socelars | b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Osz8mRDYP0laXozOTuxyUiiF.exe
Size

1.4MB
MD5

0f01bbed1d28eba69835962f39d15261
SHA1

5538f0cc1959b565277060c53d2f5e4d633ed899
SHA256

3e34092ce27276c1b0cdeba1d3f8649258e55f23dfb92fcd9de6d52d5f559e91
SHA512

442a815bc696cdd57bd141565c0ccf983ff9d241129a4bd6ed19d629fd60a5207501abf3ef5c6f19e6e6eab79fc27059f04664809e7572173d3621a2bfb4436d
SSDEEP

24576:avp1T0ZhIjR+IXbtCOEqmb3tUJoEYdG/9QDMbh7zXIqnjvLZL:0pCuZ4OuD4+AhzXIqnjjZL

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	Osz8mRDYP0laXozOTuxyUiiF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	iplogger.org
8	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Osz8mRDYP0laXozOTuxyUiiF.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
980	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795262281033149"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeAssignPrimaryTokenPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeLockMemoryPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeIncreaseQuotaPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeMachineAccountPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeTcbPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSecurityPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeTakeOwnershipPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeLoadDriverPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemProfilePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemtimePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeProfSingleProcessPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeIncBasePriorityPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreatePagefilePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreatePermanentPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeBackupPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeRestorePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeShutdownPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeDebugPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeAuditPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemEnvironmentPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeChangeNotifyPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeRemoteShutdownPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeUndockPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSyncAgentPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeEnableDelegationPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeManageVolumePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeImpersonatePrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreateGlobalPrivilege	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 31	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 32	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 33	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 34	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 35	2208	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe
Token: SeCreatePagefilePrivilege	1220	chrome.exe
Token: SeShutdownPrivilege	1220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe
1220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1620	2208	Osz8mRDYP0laXozOTuxyUiiF.exe	82
PID 2208 wrote to memory of 1620	2208	Osz8mRDYP0laXozOTuxyUiiF.exe	82
PID 2208 wrote to memory of 1620	2208	Osz8mRDYP0laXozOTuxyUiiF.exe	82
PID 1620 wrote to memory of 980	1620	cmd.exe	84
PID 1620 wrote to memory of 980	1620	cmd.exe	84
PID 1620 wrote to memory of 980	1620	cmd.exe	84
PID 2208 wrote to memory of 1220	2208	Osz8mRDYP0laXozOTuxyUiiF.exe	86
PID 2208 wrote to memory of 1220	2208	Osz8mRDYP0laXozOTuxyUiiF.exe	86
PID 1220 wrote to memory of 3760	1220	chrome.exe	87
PID 1220 wrote to memory of 3760	1220	chrome.exe	87
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 3624	1220	chrome.exe	88
PID 1220 wrote to memory of 1576	1220	chrome.exe	89
PID 1220 wrote to memory of 1576	1220	chrome.exe	89
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90
PID 1220 wrote to memory of 3684	1220	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Osz8mRDYP0laXozOTuxyUiiF.exe
"C:\Users\Admin\AppData\Local\Temp\Osz8mRDYP0laXozOTuxyUiiF.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2f72cc40,0x7ffa2f72cc4c,0x7ffa2f72cc58
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:3624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:3
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:4796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4656,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    PID:4104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4836,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:2
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5152,i,15675288233709089853,16631628750298077165,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3468

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b6219f8a5b18503070281a6c72ceffd0

SHA1
d81a1bd1b4b522e9335469e8e89e33c2cfc4a2b3

SHA256
5f123358fedd992d83f09cc88314584fbcf3599100275b9256310147e2cd29a1

SHA512
710eb4c5d5389d5664535e73e199a4e99e2495214c7ec913dddc3248984427bb7405a225fde3fe6a2426ad860e03e1b920f6d144321ace3e42b578d918c5f6ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4cb430c07000a6ca653f6a82d1692c0e

SHA1
272bc99e2620fbc0c937aaf57baab37516b56315

SHA256
be321b915a29cb4874cd6fbafa5415b8365aee062a21660b4ade16b6d1825700

SHA512
9d017678e0ea01597f679f24b30180c7346ad1aa66c86de8bbe380834d4618a68dfb6035bd37eed866eb9915dbcfbbc4900d7955e2fdaddb6b077283d01ab41f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
746a92cc7c49669dfc4fd8d3ebc0cd3f

SHA1
669862b040a100f3a576b793f87af2e715a01f0a

SHA256
362188129e1503028ce5a4f16bab6c4c30876e88fd304e82601503d8c01be6a8

SHA512
ec2ee0fce86c8d666fe879f86515fd451182ef15b872102b39098254ec6c64290bb70535b25b1c01af550ead561ec0a5c815b7ece402260f6af1fad5251cbbd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d40b0c580d74c402f8ddda9a818ab6f

SHA1
6aa5b2b3e370e5324136670cd26100277d28780b

SHA256
dd55eca34ef3d0ccc28031159c45249e0defee9ec53f26e4a51d30dc63f0ad63

SHA512
8da9095cdf5b4ba98d2bdca9ee053a625a1a0cbad44de156fdb0417b8f4847e9806ddb383b09356705aa21f917345afdd589ba2b287f33bead787fc5db097342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
583afa49a9be39a9e49fee5fabf30c3a

SHA1
105d4fa71f415a02adb671c3cebfe55882c9b2e1

SHA256
e2f1e2562593ba9cebb7be91bc8ed541e5ae1a32f3fa26bfe66edcbbfff0ca49

SHA512
fe4e33c3bc4d713a01ae0bb788a6dc769c403bb6eb22013e918efb64a55bb74693455548ca7bbad3c2e0744d80b047edc85c664bff6244dc77bfc06569af88b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9b52fc580ea42f0846dc04d3a68a996

SHA1
c103c6a08df28ff9850027708cd357856bc65ee7

SHA256
03aa835cdedf308f163593f1851f654a8d6acbf232059ea17705252e8273ae91

SHA512
d6879860d6b3737e3957d2d45d1f76c10061ca230451267b4a87c58a7068a7bb719bb3680b01319b911ff9005448b4d351dc63f717853871bd6233fb3ed36947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
844d5d8c7997089da9e7810505b805c8

SHA1
182a4e502957fad79815d7bdd6dc39fd7e4cc41e

SHA256
0fd3c63fb4aca3f516c230dfb9c041786146ac4f24e78227a1094714cdced679

SHA512
daecd45214f702dcae52d6dc3b7b01fee3bb03a950d4a296a243ade4d6ace50e6100589e0d7ed115d610c501660c918006df42358cfd9660646781873e750faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
5ce2cb43178604b18588be99a3d299ee

SHA1
913c17db7a41461502a4c21271ffd1e8fe700887

SHA256
5a1276601feeaf30c3803c07b402b56da4cf71ae89e7070074be74340b196b97

SHA512
cebbb9c4992e0800d276d92579c65b1186c2b96aac082ea84f3b85b2c1c01f65ca3bf6c92744856451749ea9e7c80b0c091eb35577f8180a6158bffc5ba2b887

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
57bd9afe92cf7cce1c2f93a2cd4c547b

SHA1
7c732ed7890aab01dd6fc093a6d32079c2cb554a

SHA256
785592a80eb0423f20a748cc11ecf80f65d21a1defb5adda7c1928686415a0e3

SHA512
2df180f20856dd937e8a97fdf10d337de20adb6a2b27d00fa8ad388a16f6165b7968ab147da58d1241ca52b6d4635a31f4510a53c3771c9b08e3a234da0f17b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
87a1836abb2a6aa7175d75dcca6329b6

SHA1
dd997c0345398c7fead7ded56a66feaf9e90a902

SHA256
04851d248734643e2cefe02a16d150586dfc9fb57f65406947d183b26ca94f49

SHA512
b01375d93bc792f06d66bd67e6760e0a9a7582aac38e5bf62ec7e1d2ae3b55dfff58cabc895789fbc21a9043c86f1f5b88be865811ed8f5ab90158ae4dad36ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
354fb78de52a89d0ba68ae713ce46e24

SHA1
9987c185543c879671c91df7ef9dddc272fc858f

SHA256
d886a4a0d6024b686ba8955c9e655ea0e5ca37404a5f48a904e7de341c5d977b

SHA512
0d18c9e00068e885583ca26166cf97972159e7eec42db0c1ec426998c3fc7493cc3f3656daadfafa6b438c133779a9b8a3221b7d74135aa24538cfa6294d5114

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1220_2042830485\73e97b12-f642-4f09-87ba-34c360f2fb49.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1220_2042830485\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit