socelars | 4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS8A52FD1B/62a1ea319013f_e64e1ff.exe
Size

1.4MB
MD5

72610bbb73a1f4d4e79ad7476a493ef8
SHA1

d63fa30ab6d612da64da1ceb3557ec7d4270100a
SHA256

fe3b8aa7ce7730aecb8f8477324fec6b024408fb335e3ce29ad9ec3b7f22bcaa
SHA512

9ee12fb68a582f2d520840c06c454ebaefe24f5b02601f9438b093573e420864b2612139037d9c60f159ecc598b1558f8473d40b4ca9cbe5130145fcbed3b680
SSDEEP

24576:k6pYjfuKDGp9FGF3KUK2pdAlLnbYt6GH7LPv1l1QUeRnHWON5bb7YrLs:TpMRGe/4ebLPv1leUQHXbb7iLs

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	iplogger.org
23	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	62a1ea319013f_e64e1ff.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	62a1ea319013f_e64e1ff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	62a1ea319013f_e64e1ff.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62a1ea319013f_e64e1ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3240	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795644827198874"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeAssignPrimaryTokenPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeLockMemoryPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeIncreaseQuotaPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeMachineAccountPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeTcbPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeSecurityPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeTakeOwnershipPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeLoadDriverPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeSystemProfilePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeSystemtimePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeProfSingleProcessPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeIncBasePriorityPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeCreatePagefilePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeCreatePermanentPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeBackupPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeRestorePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeShutdownPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeDebugPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeAuditPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeSystemEnvironmentPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeChangeNotifyPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeRemoteShutdownPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeUndockPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeSyncAgentPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeEnableDelegationPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeManageVolumePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeImpersonatePrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: SeCreateGlobalPrivilege	3744	62a1ea319013f_e64e1ff.exe
Token: 31	3744	62a1ea319013f_e64e1ff.exe
Token: 32	3744	62a1ea319013f_e64e1ff.exe
Token: 33	3744	62a1ea319013f_e64e1ff.exe
Token: 34	3744	62a1ea319013f_e64e1ff.exe
Token: 35	3744	62a1ea319013f_e64e1ff.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 816	3744	62a1ea319013f_e64e1ff.exe	82
PID 3744 wrote to memory of 816	3744	62a1ea319013f_e64e1ff.exe	82
PID 3744 wrote to memory of 816	3744	62a1ea319013f_e64e1ff.exe	82
PID 816 wrote to memory of 3240	816	cmd.exe	84
PID 816 wrote to memory of 3240	816	cmd.exe	84
PID 816 wrote to memory of 3240	816	cmd.exe	84
PID 3744 wrote to memory of 1392	3744	62a1ea319013f_e64e1ff.exe	86
PID 3744 wrote to memory of 1392	3744	62a1ea319013f_e64e1ff.exe	86
PID 1392 wrote to memory of 2056	1392	chrome.exe	87
PID 1392 wrote to memory of 2056	1392	chrome.exe	87
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2108	1392	chrome.exe	88
PID 1392 wrote to memory of 2828	1392	chrome.exe	89
PID 1392 wrote to memory of 2828	1392	chrome.exe	89
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90
PID 1392 wrote to memory of 3992	1392	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea319013f_e64e1ff.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea319013f_e64e1ff.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80cfdcc40,0x7ff80cfdcc4c,0x7ff80cfdcc58
    3⤵
    PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1588 /prefetch:2
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    PID:2828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2500 /prefetch:8
    3⤵
    PID:3992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3132,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    PID:1784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3864,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3884 /prefetch:2
    3⤵
    PID:1288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5300,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:8
    3⤵
    PID:4192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
    3⤵
    PID:3380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5460,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:4236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5060,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2824 /prefetch:2
    3⤵
    PID:1796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5404,i,4861694235044140495,12937267489872074034,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
19KB

MD5
9ece3bd142b5586778dd9e808a0ac934

SHA1
35fe0eade757bbbf2508954107bb69e32ba9ac89

SHA256
575b9adeacbea4541336681b04e645b848ecd3a9d20fc05e3a37460cc1081921

SHA512
bfc81f841bd9df06beb7ddd2fc72247e02c4a4c22f9d7816d321b13511d6dfb8f9ba86e79d16780b9891e090660cad9b1cc0e98ddf2994345a461ca1b074174d

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
368dbd669e86a3e5d6f38cf0025a31fd

SHA1
93c6f457d876646713913f3fa59f44a9a373ff03

SHA256
40d6653a91bd77ecbd6e59151febb0d8b157b66706aab53d4c281bb1f2fe0cd6

SHA512
24881d53e334510748f51ce814c6e41c4de2094fd3acc1f250f8a73e26c64d5a74430b6c891fc03b28fb7bddfcf8b540edcf86498d2bb597e70c2b80b172ee7e

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d6d705da6780af50f74c330e06c3dac9

SHA1
5abad2a6de17ffd81ca7b11615422c4cde3a189a

SHA256
b9f8dad8f03999f22137257be11f5e2b03d9145685abd6f777f47d671773a9b9

SHA512
b63dab1176f79056b3467585e45fbf6a61813f0605b7b96fcbc6c3a6aab2cdc27dcccc3687968b5c886c25c23dc0777ad21ee8214654c8b4804909826bb4ee23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
168B

MD5
ebd9b6d2cb2260f411b34ba56776222f

SHA1
0287887a6280e20e0b4f7c7523b521fd8aa590c5

SHA256
2b8651dda66b07de53b60e09c32527ace3a2a016cf661cd650feb4aa45438951

SHA512
ee91d6f2c45afda89090f8bef226562f3bfe114c09847d4b38b2a82a2f89d648cb1e94d0801b185670a12ac7e78922100805588a0dc6dc8383aa2e4c413c72d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8c4c8044590bdb9b25e41d6abaa4ced9

SHA1
9b96dac0abe9b2e4ac3e3cc06e6094513724174f

SHA256
c993bebfb7567dea98fe325a3d9228280b8c105dba1c32bb110d85dc5187823b

SHA512
3ef125f17a5fe06b2cf63b24f22cbabe19be0e80e9ac16c7ec640a599cb0bbf08d33cd27fea1ac23304ebdefe663226676476c6c795a721bb4a9a25ab1dfc185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
1d45104aef8b202a4591d90b20efcc99

SHA1
9f7cefe9f1e91c8a5024e674def0a28102d63022

SHA256
6b8ace33af6db3fcc06e1f4eb840e92e32788947b5b383a9d57f5dcd8b08e909

SHA512
d9dce5736dd9351a15e78111d9b5b47fa083b1e6ed50558af9ab41eddad20d0d6c02fa0fcd83358d497dd0a24d3866cc4c8e5c2a3df1150996a7e5bb177bd99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
ffa59ede27471812ac3358e86b98d8aa

SHA1
801d3076a98bf3048bb423a0fce16310a90f895d

SHA256
6c7cde0118c112ca989d6de882304b5d2bb02d578da2eaa215c7bc002bd49510

SHA512
afc86505b089aa19163a864b672f7090d4f061147444eb1396cee44bcd6c3ab2f0b86fe4bf1886e09203d6ec9394d662fee35a8affd5d9e356e6e3b7d411d37a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
2d1c1fdd3724cb247653ddab421e8600

SHA1
4578a3cc579e8f581cecebe73c735c60fa2957ab

SHA256
656b31e11e6803a849467939d69fe96dd04608d473ac2bc369d111aac3bda7bd

SHA512
65e2611091d732140ad906a0726b1537828170ef47846b78b6e4c274ffb70672a489e8b51a098ddbe9bb43d7a0292f50e9fe43a1ad555829d7009de425379fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
d109091e5fee1098eafb42a601a10f5d

SHA1
e64adc86d0c8b7918937040b113c8a7f695d3981

SHA256
79cb7d2541426676af10949c13bfa9264e0364ec08c89afbfc4bf2197b0cccd7

SHA512
f6413da6ef4acd8656b47ce272003d89839b16b76d0a4ca01f246ef28d2d0eba4aeb62ae09a40d771f2cf42105208c6edd996f1823b46dbcf5d307c3f4fd04a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c5c0461dbba40079723193d933c16a8

SHA1
336e0f2e539d7a4357fd09ae22d2942ebab5c9e3

SHA256
8b6b372766ba957a1415316141332a777217146745661cc7bc43a730d5a52813

SHA512
d00de1dcc1d2b9fd3ee018b79b71ff6b72300bcc85d3a235d785a2073f71acbba24b8c848d422cb29807076e8b7d40215d422c1d6396a2ecc2302bc6ee342fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d1ba8b52e6801d46ec1d462ddb3b005

SHA1
3520935757041dd82c01c20a86e86101af794805

SHA256
23f82d495f12bfbd9b711b9a1115e32f260941b34d66bffd8a5dfab7216ee837

SHA512
e4bb04dfd7c6700c411583e5097115c8e68dc46bf74b796962f6cee1b06f1da4c2a3c5df0044837199cc83daeb461933e97a49ef716db652f5cd37bc522cf875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48d47191568f6d6d74c726d2e70a1db9

SHA1
e534700adea523d733802b3e3d3924d6ba50d3d2

SHA256
55d8df4ad37a4bc49fc8d812ad1fa2ed6e6c54f25d38d989fc2cf9d977fbc4be

SHA512
6a3956cd16ec8682e65431157a716b35a71ecb191a7d838666942aee6688cb5bda083aebff85b8badab7d24df4afe475dfb502d0023e96f6e7b44a3c22422c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1bcf6394cf044a6623810757c1ca54b3

SHA1
b57ea17deacb389a6b0ece24df122427d05678f1

SHA256
b66fe27112f3fc674e704fb8768f3aa4bdf7749b9a10d275d12c7e921e0eff26

SHA512
08fd5aa12a23a8279a6346456ddf81a2f1dfb531cf93cc1fc7c30f1a7db0cf116b37b497018cd88d36e37cb4dcf606f8489c54c263e6ee06ddd87003a9cf6250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4eb8216887aa377c76b699d981b5225

SHA1
b246c4c54c0338c64598d80e94ff8186dec9e1b0

SHA256
245100cd07c4425257c380a184449bc76e12221013f98a83a7d453efcfec1738

SHA512
4471871bbdf493ff83a6f038a08f5355d0f59d95040794baf6ae1ed00baa5f06ee8691e6de3382e9aa5bec70438352a5873ef8e7a1e6cc78c3ed2ca3968d3b3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0bbcc1504ce89937382e6485b95e545e

SHA1
b6d2542842bc933de481e943db136469c5612e91

SHA256
71afb2ce4474131362bfd718bbdf5b789d7e5fc129a139847df460121a9a587e

SHA512
31dbc0f1f8e0224d0567f3651c4c41831604236d761edfef3e81dc697c2204b9b913d94c171a4a3946b973c36ae980be780429ee8310277dca105075bfd47d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fca814542b1802d55979b0fa70725e00

SHA1
7bf137b7491474435878574c9ee1f137beed59e7

SHA256
6368aa442cce4bb3af4a217bb09d4bce98e06d8e4ac0c47f2b5410c76b9c7820

SHA512
f01db173649fbff7a4bf6b5e9d7bf4f3ec4cd3b76af020173afe677a75e296becf50fb1761fd5d82894e18ff8ee58225af25f60ccdc962cf7f7461cf49292ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d76876581e73f7072d16a4f9a6033524

SHA1
5d711afcb1b56bf3fc7ea2b9187b87d5eb70940d

SHA256
62abf171d7be3d080fd6078395a8c3f2d6384f8df9b530e5ff375d23a4460095

SHA512
d7498892e2cc5a5bd2899a5fc5e2fad728bfcde485343b52cac567b4d8ee4bbcb99735b8c1782f2073c1656e5bc3f9878d20f1f39c2a4e45b3653728621a0cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
d1d8ed3307eca563f1fd31b252849518

SHA1
ed001fa2d1d5c84a2488c350776c9fe3ddc84be8

SHA256
5ccca26ffc857770e3a6314d3143bfa6dd431d936fcbf646fa7262385d67862d

SHA512
7b0c3b6f31cc716f67e9c017878de1a1bb1b5069ccec7bff718b58ce6c84abe952b8d036d9625080a65b3d04098ba85321a3077fab418bfd86ad567681199542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a8a3e4b4b45a54d853691b01e1072ca1

SHA1
1c1ad80e5a8768101ed28e485ca72b0138a077ef

SHA256
7f0c2a683734d4ec2acdf72ac49a97a43928fc91cd1f6367c7efa9aebdae9f6f

SHA512
882f68dc10cf749c218cf32f59a4f6df6fabd43776d87da76bed76152af4d96db2a0b6c911f461051a940a24489077c944413119e9bb4b08511bbda626602fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1392_1048972207\33555e13-e7b2-4f30-a1ba-8dcee4fcf4d5.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1392_1048972207\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit