socelars | e65340a223688a29c1512d8e64e773b6d46229b0177e03e7f33dda28832116c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Size

1.4MB
MD5

3c6a5b8897a2bda4869665e21ac5a80f
SHA1

2858099e58e7cec843b55610c28ef89e03c95a5f
SHA256

5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb
SHA512

1c676d845ed1562fa0d12cc1d615ef1c4f8ef706de85a3c3bccdc8ad639569caf20071b014c61423e8ba450392bec96d8617b687e23f2ca40f459a8bf954c162
SSDEEP

24576:WQAgpBGV2HpWHuREjDnI2AuADZ8KvqC7dH2dtDPc/o/KFuRtg:WgpG57R8cnDPcQ/KURtg

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	iplogger.org
26	iplogger.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4072	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795650660545924"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeAssignPrimaryTokenPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeLockMemoryPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeIncreaseQuotaPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeMachineAccountPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeTcbPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeSecurityPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeTakeOwnershipPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeLoadDriverPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeSystemProfilePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeSystemtimePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeProfSingleProcessPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeIncBasePriorityPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeCreatePagefilePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeCreatePermanentPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeBackupPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeRestorePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeShutdownPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeDebugPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeAuditPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeSystemEnvironmentPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeChangeNotifyPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeRemoteShutdownPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeUndockPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeSyncAgentPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeEnableDelegationPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeManageVolumePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeImpersonatePrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeCreateGlobalPrivilege	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: 31	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: 32	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: 33	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: 34	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: 35	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe
Token: SeCreatePagefilePrivilege	3668	chrome.exe
Token: SeShutdownPrivilege	3668	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2460	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe	83
PID 1484 wrote to memory of 2460	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe	83
PID 1484 wrote to memory of 2460	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe	83
PID 2460 wrote to memory of 4072	2460	cmd.exe	85
PID 2460 wrote to memory of 4072	2460	cmd.exe	85
PID 2460 wrote to memory of 4072	2460	cmd.exe	85
PID 1484 wrote to memory of 3668	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe	87
PID 1484 wrote to memory of 3668	1484	5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe	87
PID 3668 wrote to memory of 3424	3668	chrome.exe	88
PID 3668 wrote to memory of 3424	3668	chrome.exe	88
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 696	3668	chrome.exe	89
PID 3668 wrote to memory of 4836	3668	chrome.exe	90
PID 3668 wrote to memory of 4836	3668	chrome.exe	90
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91
PID 3668 wrote to memory of 4216	3668	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe
"C:\Users\Admin\AppData\Local\Temp\5adc45c44a1394d9140530597cbd7fb5c1df52bef9b9a7ae6e12fadd23c535eb.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ff8747fcc40,0x7ff8747fcc4c,0x7ff8747fcc58
    3⤵
    PID:3424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2032 /prefetch:2
    3⤵
    PID:696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1760,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:3400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
    3⤵
    PID:4184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:2136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3656 /prefetch:8
    3⤵
    PID:320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:8
    3⤵
    PID:2028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:8
    3⤵
    PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
    3⤵
    PID:1536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5148,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:2
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5020,i,18048408667111964624,469421921774954729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1068 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0b986284-4ec0-4c7d-9320-358dbf00b2df.tmp

Filesize
9KB

MD5
5319e73870e5aa31dbdc047dc3db837f

SHA1
d672caafde0b4f6ae59f487561c62ab3b9804d16

SHA256
6a15ee4d51a265ecbfa12bb034f0e643b8f59145c291f34c021979a7ef673253

SHA512
3c0a1f9d2a4df85946dbddd57f92de6fc5cc08f759bb781b40ab8a962a9db410ecdbf6c3dea78fd2859dd4bee7bf0429514838c48f47f0c8f5d2c9f1187304fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d63ff9343f7cb1ab6696f94b716378a3

SHA1
5176231057e21b033fdbff1a61a221cb82d36ab3

SHA256
5cc8d6aee3efc3e54d6b98a0e9753e6bdf8570f5d3f7492eb6517e13e7f9d6ec

SHA512
7675f9ba9008d0753ba61e5ecccd4099df7f1d0590fa5419360c01e9442a95f21814dc03e0ac6791d2800fbbcd3e790c7c840e3b52c853cb48dd6ed87d99cdd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7d7a10291350d2915c921a0a585bd006

SHA1
9019eaa1df98c833f190047e1860a11d027ff033

SHA256
7710caf53db040646e71f3036bdb09822d6d95d41542f59894cdbeb3092c6504

SHA512
9ddad16eaff14aa199d816b3a6a9464116484f9c7dfe69e17d9ef162fcbf4341ebf0c3d63314f702bfa7e8865fbe98aa3582a5f96f104544c526729bf8c3b211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
ece4ce9a31fc6fca5e495868419a59c5

SHA1
752ccac130bd2b34e87f06f873cf88ed245d9fad

SHA256
0abebcb33b990c148ddae5acd58ff102e75c4c3233d110b1deca96027c567678

SHA512
0323286b5c9f5cb1e4c9d4ef9c306a7ea5f39e7269c9414bb9da16c3dddcc5b7b484c1baa295b83bd62db909c0066b0c3b0f0ae4285477e052d76fb5ecde08df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
602d2696991e3eb513b0dbd394b0fbc5

SHA1
f3fecccb38c173832419f61eab5600c124e7d2de

SHA256
7c867907e3c1f26b868948a0dbdd8068190adf5e421822bb71a57e74d80c7cdf

SHA512
999e20049d6385dd5ffa13475666cf87455a92cac7424d3eb85428bf28a7c55d0b8bd72f27b1c729f035d4cd7a3932e6e5232eb7bfaeda2176df457cb1d70fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a05e390f13b6575c31ea6d0112bef1c

SHA1
3a66b6e0f26c6652267fc859591918fba0b55943

SHA256
1ca6a9fbd8866d5e8686aeacf978011ce2d985877026ccc2d0d3f8c74fc1571e

SHA512
30292b77720bc9c2c5a515ebad9e3c3883802285497e675bafe185367a03776c28ef20d0a7d73fcec8569b2371e35540f30194d3c0b55a4ba82b7315828b7b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b776844e90284cb2233afb7d5ca88535

SHA1
2f6b244e9fd202f539b56d47a7fac1198e92dd52

SHA256
4aeb46017cb80850ee185104ea332e5bd28403e3c70bc4f08f6f46fc29937fcf

SHA512
fed3786dfb852a8c3d1c00b579a571eebca0694bf11403b875da6280278939001187846fbcd3c6c9f03c4f33a4ff164f9a3354d733d21805f14333b19cbd3f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d40cf24d6f351c291af2809d1b72f3c

SHA1
6590de2d1e37643c1d1f7c7aa43290c3d3e14ada

SHA256
36ff1ef1fcaa68dd7a8df320bd3bf6e7ee3fe9f31caa5545aca3bcb64c61bcbd

SHA512
44635912463d1769c9a851dfb4ecf62623b78ea9489551035637085e5e6563f0605b14dd1dd22b9fd0b00784d1c8b02be6033362bf76c65a77e8ac597c812df0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
b15380e626016c0e579f96d37268e820

SHA1
b0699732328d4d6483785b42b0b747daa7a51667

SHA256
348519ca4f355b1acf4b08def2008e1f81d93b78106149e240f9cf59552b34b8

SHA512
76711505998b792dd78021e72b378ba71f6b9331bb3d59df3553e126222ea52c0257b9c135ecaf6585290b941103ee4d0d3f880051aaa4192a23f1d23b24666f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
997d9044617c6ae6dcd45be9ca242c1c

SHA1
9b9e865424b2a18217d917d32fa119d958a7f742

SHA256
46d12d6f7dda5a6caaadbd106945ef3762a11cb2f5b6cedd0af323f3330f2e20

SHA512
26ceb62e81e7e0231b804e6d0c3678118558602875e8562f57beee271cee3379e57a24f602a49f4a2404a577c5a41dab40f330a26e27fe7559c574862a94a48b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
929eff8a161f10e71ad92183d605a378

SHA1
b1d61a0821c0b0f54acdd1803928ecdc16da6979

SHA256
9e0003a6de9edd9fb279966605d290709b0206c1fd29c1f5f7e4d84f516fec83

SHA512
a8b9f310e0822417720d49e6439ec0454137482466912dd19b4cad480bafbe4a2334a388644da813d35696186800bf800398d8ff12ae2b92bdc30536e039ec06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
057493deb4395ff954f863ff26f25824

SHA1
af6c8fe61a81f6a1e9af4a632fa9e6298efe77f6

SHA256
2718a90c208908ae0097c693e1ee113ad44c2c8b3ab0d7b80b82a32881f280f7

SHA512
f71e0b4a6744331cac1a35ff8cf5a5e6891f49cc213dbd7a088bdba9ac68c96050e3aa6aae3d956571f4f187ff4dbf38998d9127100ca34ea58038c117f27a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a6c99fe7c00ef15f35ae2201456636ec

SHA1
e77573f0d4217a89bcaf3459b300599563c9828b

SHA256
5184dfa1069f1a946e0cb9f6fdc8bd0337f3da2a0d722b6b67758f4e358613dd

SHA512
dfe703a1257a7bde107ad7e500a9aab25654d0c1f25ba93e2adc3d38630289da0d9e7964513dfc689eddbe272567ffe2148605df3004670ccab48988f523af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3668_1534962030\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3668_1534962030\eb6a57e3-ea19-4479-b2e7-4d64527fcd79.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit